2019-01-12 01:00:00
dell
PUBLISHED
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a users browser history could obtain the access token and use it to authenticate as the user.