we have Version 2.67.2+170719 and after running a penetration test one of the results we have is
Session Token in URL Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. Findings: The link /sv/index.php/admin/survey/togglequickaction contained the token "YII_CSRF_TOKEN" as part of the URL
I was wondering if the latest update to 2.72.3/4 will resolve this issue.
