In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
[
{
"product": "Versa VOS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"
}
]
}
]