CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value.
[0] - https://www.owasp.org/index.php/Session_fixation
If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.
Version: unspecified
Severity: normal