The vulnerability exists within the GetCookie() endpoint due to unsafe deserialization of AuthorizationCookie objects. The application insecurely decrypts cookie data using AES-128-CBC and subsequently deserialize it via BinaryFormatter without sufficient type validation.
CVE Link
Exploit Platform
Product Name