The used session cookie can be read by client side code using JavaScript. This means that a Cross Site Scripting vulnerability in the page allows a attacker to retrieve the session cookie and therefore log in to the administrative interface without a password. A attacker can use this to specifically attack a administrative user and steal his session cookie. Using this cookie the attacker is able to log in to the administrative interface without the username or password.

As a workaround, we suggest using a Application firewall to block access to the admin url externally.