Apache Tomcat FORM Authenticator Lets Remote Users Conduct Session Fixation Attacks
Tomcat 6.0.21 to 6.0.36, 7.0.0 to 7.0.32
A vulnerability was reported in Apache Tomcat.
A remote user can repeatedly send a specially crafted request for a resource requiring authentication while the target user is completing the login form to cause the FORM authentication process to execute the remote user's request with the privileges of the target user.
A remote user can conduct session fixation attacks.