History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: QB-3380
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Blocker Blocker
Assignee: Unassigned
Reporter: AlSt
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

QB links which contain the session id let you hijack the session if it still active.

Created: 24/Apr/19 07:43 AM   Updated: 04/May/19 12:15 AM
Component/s: None
Affects Version/s: 8.0.28
Fix Version/s: 9.0.9

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown

 Description  « Hide
We just got a link for a build in QB for investigating a build failure. The guy who sent us the link also copied the JSESSIONID with it. When we clicked on it we suddenly were logged in as this user.

High security risk!

 All   Comments   Work Log   Change History      Sort Order:
There are no comments yet on this issue.