We discovered a major flaw in Stockhut, it was possible to authenticate to any Stockhut instance with a session identifier from a different instance. This is called session hijacking, also known as TCP session hijacking, is a method of taking over a web user session by surreptitiously obtaining the session ID and masquerading as the authorized user. Once the user’s session ID has been accessed, the attacker can masquerade as that user and do anything the user is authorized to do on the network.
This vulnerability has been fixed (01-02-2021), the fix is automatically