2 matches found
CVE-2018-10813
Dedos-web 1.0 has hardcoded session cookies/secrets in the Express.js app, exposed in GitHub source. An attacker can modify session cookie contents and re-sign them with the hardcoded secret via Passport.js, enabling privilege escalation. Public references (CNVD/NVD) confirm hardcoded credentials...
CVE-2018-10813
In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this...