Security IT Health Check identified the following vulnerability for the "Send Message" function on Spectrum OneClick Client Details tab.
The Spectrum application’s messaging functionality revealed the session tokens of logged in clients. The exposed session tokens could be re-used by a malicious Spectrum user to gain unauthorised access to the application. Note that exploitation was limited to the 'administration' user role, who had access to the messaging functionality, accessible from the OneClick client Details page.
The risk rating for this issue is set to medium because the exposure is limited to administrative users only.
NetOps Spectrum OneClick 22.2.x, 23.3.x
When sending a message to a logged-in client, the OneClick Send Message function transmits the sensitive session ID (JSESSIONID) of the logged-in client as URL query string parameters.
This was fixed in NetOps Spectrum 23.3.6