Seppmail Secure Email Gateway Seppmail Cloud
Monthly
Session hijacking in SEPPmail Secure Email Gateway and SEPPmail Cloud before 15.0.4.2 lets an attacker who can observe traffic replay a victim's GINA web portal session because the session token is exposed both in the URL and in an HTTP header. Because the token travels in the request URL, it can leak into proxy logs, browser history, and Referer headers, enabling account takeover of the secure-message portal. There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is 'Unproven' (E:U); the vendor CVSS 4.0 base score is 7.5.
Session hijacking in SEPPmail Secure Email Gateway and SEPPmail Cloud before 15.0.4.2 lets an attacker who can observe traffic replay a victim's GINA web portal session because the session token is exposed both in the URL and in an HTTP header. Because the token travels in the request URL, it can leak into proxy logs, browser history, and Referer headers, enabling account takeover of the secure-message portal. There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is 'Unproven' (E:U); the vendor CVSS 4.0 base score is 7.5.