stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs, please add comments to this ticket if you would like it to stay open. Thank you for your contributions.
buger
Branch/Environment/Version On-Prem Think 2.9
Describe the bug The Dashboard and Portal applications did not correlate the user's session token with the device being used. An attacker who was able to obtain a user's session token could proceed to use this token from another computer and access the user's data, increasing the impact of such an attack. This is known as "session hijacking" and is commonly performed by exploiting a Cross-Site Scripting (XSS) vulnerability or by intercepting the token in transit. During testing, this issue was confirmed by transferring a session token from one client machine to another and re-establishing the authenticated session with the application.
From client Pen testing.