Rdiffweb is vulnerable to Sensitive Information Disclosure. The vulnerability exists due to an incomplete fix of CVE-2022-3174 which causes session cookies instantiated without the Secure
attribute when the provided url is invalid. This flaw allows the transport of user cookies over insecure HTTP.