CVE-2015-1936

The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack sessions via the JSESSIONID parameter.

Published: Jul 14, 2015
Updated: Nov 9, 2025
CVE: CVE-2015-1936
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
ibm / websphere_application_server	8.5.0.2	8.5.0.2.x
ibm / websphere_application_server	8.0.0.5	8.0.0.5.x
ibm / websphere_application_server	8.5.5.1	8.5.5.1.x
ibm / websphere_application_server	8.0.0.7	8.0.0.7.x
ibm / websphere_application_server	8.5.5.0	8.5.5.0.x
ibm / websphere_application_server	8.0.0.1	8.0.0.1.x
ibm / websphere_application_server	8.5.5.5	8.5.5.5.x
ibm / websphere_application_server	8.0.0.4	8.0.0.4.x
ibm / websphere_application_server	8.0.0.8	8.0.0.8.x
ibm / websphere_application_server	8.0.0.2	8.0.0.2.x
ibm / websphere_application_server	8.5.5.4	8.5.5.4.x
ibm / websphere_application_server	8.5.0.1	8.5.0.1.x
ibm / websphere_application_server	8.5.0.0	8.5.0.0.x
ibm / websphere_application_server	8.0.0.0	8.0.0.0.x
ibm / websphere_application_server	8.0.0.9	8.0.0.9.x
ibm / websphere_application_server	8.0.0.10	8.0.0.10.x
ibm / websphere_application_server	8.5.5.3	8.5.5.3.x
ibm / websphere_application_server	8.0.0.3	8.0.0.3.x
ibm / websphere_application_server	8.5.5.2	8.5.5.2.x
ibm / websphere_application_server	8.0.0.6	8.0.0.6.x

Vulnerability Database

300,445

CVE-2015-1936

Deep Security Visibility Without the Complexity