- Affected version
- 2.2.13
API call auth/login-token allows to request a login token that either logs the user in just for one session (
However, this setting is not part of the token and thus not validated when the token is redeemed.
This allows every token to be used for a permanent login which might be a security issue.
remember = 0) or permanently (remember=1) .However, this setting is not part of the token and thus not validated when the token is redeemed.
This allows every token to be used for a permanent login which might be a security issue.
Last edited:
