IBM WebSphere Host On-Demand (HOD) versions 6.0 through 9.0 suffer from a URL manipulation flaw that allows for administrative bypass. Version 10.0 may also be susceptible.
180a9ffd130b03530479c964bd2cae0050e0dfb3941fd1a11f5377d5f5296248
The Netflix.com site was vulnerable to cross site request forgery, also known as hostile linking.
267eaaecfd060a68144a850cfc13065d946f90ad806b99d6c23163ab04dc84f4
In Lotus Domino Web Access (DWA) version 7.0.1, the session token used to identify the user (called "LtpaToken") is not invalidated on the server upon user logout. The cookie is removed from the browser, but the token continues to be recognized by the server until a configurable expiration time is reached.
aed4fab020bf5946cea878da81dd157b62a3e142ecfbe895fa31a092c15a8709