CVE-2023-25403

Name of the Vulnerable Software and Affected Versions CleverStupidDog yf-exam version 1.8.0

Description The issue concerns an authentication bypass. It is caused by the program using a fixed JWT key, and the stored key utilizes username format characters. This allows any user who logged in within 24 hours to have a token forged with their username, thereby bypassing authentication.

Recommendations For CleverStupidDog yf-exam version 1.8.0, consider regenerating the JWT key with a secure, non-fixed value to prevent token forgery. Additionally, restrict the use of username format characters in stored keys to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.