Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3222)