CVE-2018-10240
SolarWinds Serv-U MFT before 15.1.6 HFv1 uses low-entropy session tokens assigned to authenticated users, which can be included as a URL parameter in lieu of a session cookie. An attacker can brute-force the token to obtain the corresponding session cookie and hijack the user’s session. Reported ...