CVE-2022-3269

Name of the Vulnerable Software and Affected Versions rdiffweb versions prior to 2.4.7

Description The issue allows an attacker to gain unauthorized access to a user's account due to session fixation. This occurs because the application fails to invalidate session cookies on logout, causing the cookies to remain the same after closing the browser and even after a password reset. These cookies can be reassigned to additional user logins, leading to session fixation. An attacker can exploit this by obtaining a session cookie through another attack and using it to access the account of users who are using the same browser, as long as the session cookie persists.

Recommendations For versions prior to 2.4.7, update to version 2.4.7 to resolve the issue.