Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET
.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0