CVE-2024-41978

A vulnerability has been identified in RUGGEDCOM RM1224 LTE4G EU 6GK6108-4AM00-2BA2 All versions V8.1, RUGGEDCOM RM1224 LTE4G NAM 6GK6108-4AM00-2DA2 All versions V8.1, SCALANCE M804PB 6GK5804-0AP00-2AA2 All versions V8.1, SCALANCE M812-1 ADSL-Router family All versions V8.1, SCALANCE M816-1...

Apache SeaTunnel Authentication Bypass Vulnerability

Apache SeaTunnel is the United States Apache Apache Foundation, an easy-to-use data integration framework. An authentication bypass vulnerability exists in Apache SeaTunnel version 1.0.0, which stems from the fact that jwt keys are hard-coded in the application and can be exploited by an attacker...

PT-2024-29887

Name of the Vulnerable Software and Affected Versions Biscuit versions prior to 4 Description The issue concerns the generation of third-party blocks in Biscuit, an authorization token with decentralized verification. A malicious user can forge a ThirdPartyBlock request, tricking the third-party...

CVE-2023-48396

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

PT-2024-13610 · Apache · Apache Seatunnel

Name of the Vulnerable Software and Affected Versions: Apache SeaTunnel version 1.0.0 Description: The issue is related to a Web Authentication vulnerability in Apache SeaTunnel, where the jwt key is hardcoded in the application. This allows an attacker to forge any token and log in as any user...

PT-2024-20446

Name of the Vulnerable Software and Affected Versions Bludit affected versions not specified Description The issue concerns the use of predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens, such as the API token and the user token. This allows attackers to...

CVE-2024-33625

CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication...

PT-2024-25384 · Cyberpower · Cyberpower Powerpanel

Name of the Vulnerable Software and Affected Versions: CyberPower PowerPanel business application affected versions not specified Description: The issue concerns a hard-coded JWT signing key in the application code, which could allow an attacker to forge JWT tokens and bypass authentication...

The vulnerability of the `saslJaasServerRoleTokenSignerSecretPath` component in the cloud platform for distributed messaging and Apache Pulsar’s streaming communication allows a attacker to forge the SASL role token, thereby compromising the confidentiality and integrity of the protected information.

The vulnerability of the saslJaasServerRoleTokenSignerSecretPath component in the cloud platform for distributed messaging and Apache Pulsar streaming involves a lack of protection for service-related data. Exploiting this vulnerability could allow an attacker to forge the SASL role token and...

The vulnerability of the JWT Secret Handler component in the software for remote management of mobile devices by Headwind MDM allows a perpetrator to gain access to user data.

The vulnerability of the JWT SecretHandler component in the software for remote management of mobile devices by Headwind MDM is related to the use of rigidly encrypted credentials. Exploiting this vulnerability could allow a malicious actor to gain access to these credentials and create arbitrary...

CVE-2024-28194 Authentication Bypass Because of Hardcoded JWT Secret in your_spotify

yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions 1.8.0 use a hardcoded JSON Web Token JWT secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows...

PT-2024-22328 · Unknown · Yourspotify

Name of the Vulnerable Software and Affected Versions: YourSpotify versions prior to 1.8.0 Description: The issue concerns the use of a hardcoded JSON Web Token JWT secret in authentication tokens. This allows attackers to forge valid authentication tokens for any user, effectively bypassing...

Rockwell Automation FactoryTalk Services Platform 数据伪造问题漏洞

Rockwell Automation FactoryTalk Services Platform is a suite of services platforms from Rockwell Automation, USA, consisting of multiple products that provide applications with routine services such as diagnostic information, health monitoring, and real-time data access. A security vulnerability...

CVE-2023-48392

Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, ...

PT-2023-9023 · Headwind · Headwind Mdm Web Panel

Name of the Vulnerable Software and Affected Versions: Headwind MDM Web panel version 5.22.1 Description: The issue is related to the use of hard-coded credentials in the JWT Secret Handler component of the Headwind MDM software. This allows a remote attacker to gain access to credentials by...

json-web-token library is vulnerable to a JWT algorithm confusion attack

Summary The json-web-token library is vulnerable to a JWT algorithm confusion attack. Details On line 86 of the 'index.js' file, the algorithm to use for verifying the signature of the JWT token is taken from the JWT token, which at that point is still unverified and thus shouldn't be trusted. To...

CVE-2023-43791 Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges...

Cisco BroadWorks Application Security Vulnerability

Cisco BroadWorks Application is an enterprise-grade calling and collaboration platform from Cisco USA. A security vulnerability exists in the Cisco BroadWorks Application Delivery Platform and Xtended Services Platform that stems from an improper method used to authenticate SSO tokens, allowing a...

CVE-2023-33371

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication...

CVE-2023-33371

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication...