ReCrystallize Server 5.10.0.0 uses a authorization...
High severity
Unreviewed
Published
Apr 30, 2024
to the GitHub Advisory Database
•
Updated Aug 6, 2024
Description
Published by the National Vulnerability Database
Apr 30, 2024
Published to the GitHub Advisory Database
Apr 30, 2024
Last updated
Aug 6, 2024
ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.
References