Severity:

Medium

How to test:

• Check if post-authentication URLs are directly accessible without any authentication cookies or relevant headers.

• n case the URL is guessable or accessible without auth, it can lead to an account takeover.