Has anyone taken a look at this post?
- Session Hijacking also possible to steal less privileged user sessions toperform this trick due to "http" admin by default webConfigurator.
Is this a true statement? Seems to me that default is "https".
More details (in english) here:
It was fixed the same day. It's not a vulnerability in the base system, just that one package. Since it was a package, it was simple to fix and people can update their packages and not worry. It's a non-issue anyhow for most, as it only matters if you have untrusted users logging into your GUI and you have given them access to the snort package.