Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix h1 report 176116
Session fixation ---------------- The HackerOne user pavanw3b has reported that Revive Adserver wasn't properly invalidating the current session when setting a new password via the forgot password mechanism. That could allow attackers having access to the session ID to keep the authenticated session alive. CWE-ID: CWE-384 CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 5.9 CVSSv3 Temporal Score: 5.2
- Loading branch information