session data not checked for application scope

if you have multiple vtigers on a host (or any PHP code on the host that can write session data) you can get past the authentication of a vtiger instance. Log in to one, and you are logged into the other with the same userid even if the passwords don't match.

Admin message

session data not checked for application scope