The RightFax web client uses predictable session numbers, which allows remote attackers to hijack user sessions.