The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim’s browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim’s account being taken over.
CPE | Name | Operator | Version |
---|---|---|---|
hawki | eq | 1.0.0-beta.1 |