ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value.
[
{
"cpes": [
"cpe:2.3:a:recrystallize_software:recrystallize_server:5.10.0.0:*:*:*:*:*:*:*"
],
"vendor": "recrystallize_software",
"product": "recrystallize_server",
"versions": [
{
"status": "affected",
"version": "5.10.0.0"
}
],
"defaultStatus": "unknown"
}
]