SessionInit can be bypassed
Issue #5
resolved
A malicious client can bypass the SessionInit message and send other messages immediately, including invocations. Invocations in this state wouldn't have user context associated with them, which could be a privilege escalation in some circumstances.
Comments (2)
-
reporter -
reporter - changed status to resolved
Fixed in 5056ea6. Released in 1.6.3.
- Log in to comment
Will be fixed in 1.6.3