CVE-2023-49259

The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time.

CVE-2023-49256

It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static key.

CVE-2023-49261

The "tokenKey" value used in user authorization is visible in the HTML source of the login page.