2024-05-29 12:31:29
SEC-VLab
PUBLISHED
The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victims browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victims account being taken over.