CVE-2025-47945

Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens JWT for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate...

CVE-2024-53356

Weak JWT Secret vulnerabilitiy in EasyVirt DCScope = 8.6.0 and CO2Scope = 1.3.0 allows remote attackers to generate JWT for privilege escalation. The HMAC secret used for generating tokens is hardcoded as "somerandomaccesstoken". A weak HMAC secret poses a risk because attackers can use the...

PT-2024-34370 · Watcharr · Watcharr

Name of the Vulnerable Software and Affected Versions: Watcharr versions 1.43.0 and below Description: A vulnerability in a weak JWT token allows attackers to perform privilege escalation using a crafted JWT token. This issue is not limited to privilege escalation but also affects all functions...

Weak JWT Secrets

github.com/IceWhaleTech/CasaOS is vulnerable to Weak JWT Secrets. The vulnerability exists because the InitV1Router function of v1.go and InitV2Router function of v2.go does not properly validate the JWT tokens, which allows an attacker to send maliciously crafted JWTs and access the features tha...

CVE-2023-37266 Weak json web token (JWT) secrets in CasaOS

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

GHSA-M5Q5-8MFW-P2HR CasaOS contains weak JWT secrets

Impact Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. Patches The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4...

CasaOS contains weak JWT secrets

Impact Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. Patches The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4...

CVE-2022-44796

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically...

CVE-2022-44796

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically...

GHSA-2H3H-VW8R-82RP Weak JSON Web Token in yapi-vendor

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...

CVE-2021-27884

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...