CVE-2021-31590

Name of the Vulnerable Software and Affected Versions PwnDoc versions prior to 0.4.0

Description The issue is related to incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken used for authentication and authorization, a user can maintain admin privileges even after being downgraded to a "user" privilege. Furthermore, even after a user's account is deleted, the user can still access the administration panel, add or delete users, and has complete access to the system.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of JSON Webtokens for authentication and authorization until a patch is available. Restrict access to the administration panel to minimize the risk of exploitation. Avoid using the JSON Webtoken for users who have been downgraded to "user" privilege or have had their accounts deleted.