I have discovered a vulnerability where any user can modify another user’s data including password simply by intercepting and changing the access token of the JWT using https://token.dev. The system does not verify whether the JWT token was issued by the server or not, allowing it to accept the edited JWT token. This can lead to unauthorized modification or changing of the email address, and password and other personal data of any user.
https://drive.google.com/file/d/1aTd_eBkqEX-LpdbCKI3E_fP1rzCg_aYd/view?usp=sharing