The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.
Metrics
Affected Vendors & Products
References
History
Thu, 21 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: SEC-VLab
Published: 2024-05-29T12:31:29.973Z
Updated: 2024-11-21T19:27:49.613Z
Reserved: 2024-02-13T09:28:28.810Z
Link: CVE-2024-25977
Vulnrichment
Updated: 2024-08-01T23:52:06.434Z
NVD
Status : Awaiting Analysis
Published: 2024-05-29T13:15:49.683
Modified: 2024-11-21T20:15:39.787
Link: CVE-2024-25977
Redhat
No data.