Glastonbury ticket hijack vulnerability fixed

This report details a session management vulnerability on glastonbury.seetickets.com where the session token issued via the contact-us login could be reused to access the registration edit page, allowing attackers with publicly sourced registrationNumber:postcode pairs to change ticket delivery addresses and view PII. The attack is demonstrated with cURL requests and cookie reuse of the IkTmgflrEi72NixCIcjzA value; SeeTickets responded promptly and fixed the flaw, underscoring the importance of responsible disclosure and caution against sharing registration details publicly.