Sesame Time
Monthly
Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.