When a User successfully login to account there are new 3 links which he/she can visit but when a user Logout from one link ex:- HTTP://insights.newrelic.com/accounts/11*
user successfully logout message will appear & logout. Here user will logout from 2 links ex :- HTTP://insights.newrelic.com/accounts/1332783 ex :- HTTP://synthetics.newrelic.com/accounts/1332783/synthetics
But users are wide open to attack on 1 link because of improper session management ex:- HTTP://rpm.newrelic.com/accounts/1332783/servers
attacker can do any thing on above account.
Steps to reproduce :- (1) login from account it will open to "rpm" (2) open a link in new window & user will move to "insight" (3)open 3rd link "Synthetics" in new tab. (4)logout from Insight (5) visit synthetics page user will automatically logged out. (6) visit rpm link & attacker can change any thing on account.