"User Sessions" admin item is now visible to administrators

XMLWordPrintable

      In the June release, the "User Sessions" admin page was visible to both admins and sysadmins, but the link to it was not visible to admins.
      In July, the link is now admin-visible.

      This page shows information about the current HTTP sessions of all users, including their internal session ID (not JSESSIONID). It doesn't seem to show anything exploitable.

      Is this intentional or was this page never meant to be accessible to admins?

        1. UserSessions.png
          35 kB
          Penny Wyatt (On Leave to July 2021)
        2. screenshot_99(089).png
          12 kB
          ɹǝʞɐq pɐɹq

            Assignee:
            tier-0 grump
            Reporter:
            Penny Wyatt (On Leave to July 2021)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: