cR0w@cR0w@infosec.exchange
sev:MED session fixation in Tomcat via rewrite valve.
https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47
If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's session.