Name of the Vulnerable Software and Affected Versions: Zend Session (affected versions not specified)

Description: The issue arises when ZendSession session validators are set before the start of a session, causing them to not work as expected. This allows an attacker to bypass session validators such as RemoteAddr or HttpUserAgent, as the signature that these validators check against is not stored in the session. The problem occurs because subsequent calls to ZendSessionSessionManager#start() do not have any validator metadata attached, resulting in the validator metadata being rebuilt from scratch and marking the session as valid.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.