Redmine

• VULNERABILITY NAME
  Session Replay
• DESCRIPTION
  Web applications that do not ensure that all session tokens (e.g.: cookies) are properly destroyed or made unusable, are prone to session replay where an attacker steals the session identifier by sniffing and replays these session tokens to "resurrect" the session of a legitimate user and virtually impersonate him/her.
• OBSERVATION
  It was possible to sniff the session of the legitimate user and gain access of the application by replaying the sniffed user session.
• IMPACT
  An attacker may exploit this flaw by sniffing the session of an authenticated user and can replay the same to gain access to the restricted/authenticated pages of the application
• RISK RATING
  High

Our ISG (Internet Security Team) has identified the above vulnerability. Could someone please assist or provide guidance on how to address this issue?