The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over.
CVSS
No CVSS.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: SEC-VLab
Published: 2024-05-29T12:31:29.973Z
Updated: 2024-06-13T20:39:22.943Z
Reserved: 2024-02-13T09:28:28.810Z
Link: CVE-2024-25977
JSON object: View
NVD Information
Status : Awaiting Analysis
Published: 2024-05-29T13:15:49.683
Modified: 2024-06-10T17:16:22.373
Link: CVE-2024-25977
JSON object: View
Redhat Information
No data.
CWE