HAXcms: Private Key Disclosure via Broken HMAC Implementation

Summary The hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens JWTs allowing them to get full admin...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the attribute handling logic in restHandler/AttributesRestHandlder.go‎, which is accessible over the /attributes endpoint with /orchestrator/attributes?key=apiTokenSecret. A user can obtain the global API Token...

Use of Hard-coded Cryptographic Key

Overview arcade-mcp-server is a Model Context Protocol MCP server framework for Arcade.dev Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal...

formbricks 数据伪造问题漏洞

formbricks is an open source survey system from Formbricks. A data forgery issue vulnerability exists in versions prior to formbricks 4.0.1 that stems from a lack of JWT signature validation, which could lead to arbitrary JWT forgery and password resets...

MICROSENS NMP Web+ 安全漏洞

MICROSENS NMP Web+ is a network management platform from the German company MICROSENS. A security vulnerability exists in MICROSENS NMP Web+ that originates from an unauthenticated attacker being able to forge a JSON web token to bypass authentication...

DataEase 信任管理问题漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. It is used to help users quickly analyze data and gain insight into business trends for business improvement and optimization. A trust management issue vulnerability exists in DataEase versions prior to...

NeuVector 安全漏洞

NeuVector is an end-to-end container security platform from US-based NeuVector. The platform includes features such as image vulnerability management, access control and container process/filesystem protection. A security vulnerability exists in previous versions of NeuVector...

CVE-2023-33236

MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs...

Sign in with Apple JWT Token Forgery Vulnerability

Sign in with Apple is an Apple authentication mechanism. Sign in with Apple JWT token forgery vulnerability can be exploited by an attacker to forge a JWT token and gain control of the target user's account access...