In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
| Software | From | Fixed in |
|---|---|---|
| versa-networks / versa_operating_system | - | 16.1r2s11 |
| versa-networks / versa_operating_system | 20.2.0 | 20.2.2 |
| versa-networks / versa_operating_system | 21.1.0 | 21.1.1 |