Session fixation vulnerability in chameleon cms 3.0 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.