The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: SEC-VLab
Published: 2024-05-29T12:31:29.973Z
Updated: 2024-08-01T23:52:06.434Z
Reserved: 2024-02-13T09:28:28.810Z
Link: CVE-2024-25977
Vulnrichment
Updated: 2024-08-01T23:52:06.434Z
NVD
Status : Awaiting Analysis
Published: 2024-05-29T13:15:49.683
Modified: 2024-06-10T17:16:22.373
Link: CVE-2024-25977
Redhat
No data.