The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted by the attacker and a session takeover could happen.
Patch is under way.
Remove the session_key from the template.
None.
If you have any questions or comments about this advisory: * Open an issue in Bouke/django-user-sessions * Email us at bouke@haarsma.eu