Описание
An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.
EPSS
Процентиль: 1%
0.00012
Низкий
Дефекты
CWE-347
Связанные уязвимости
github
5 месяцев назад
An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.
EPSS
Процентиль: 1%
0.00012
Низкий
Дефекты
CWE-347