Name of the Vulnerable Software and Affected Versions:

Payload versions prior to 3.44.0

Description:

Payload utilizes JSON Web Tokens (JWT) for authentication. Following a user logout, the JWT is not invalidated, enabling an attacker who has obtained a valid token—through theft or interception—to reuse it until its expiration date. The default expiration date is two hours, but this duration is configurable.

Recommendations:

Update to version 3.44.0 or later.