PT-2023-20049 · Unknown · Cleverstupiddog Yf-Exam
Cleverstupiddog
·
Published
2023-03-03
·
Updated
2025-03-07
·
CVE-2023-25403
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
CleverStupidDog yf-exam version 1.8.0
Description
The issue concerns an authentication bypass. It is caused by the program using a fixed JWT key, and the stored key utilizes username format characters. This allows any user who logged in within 24 hours to have a token forged with their username, thereby bypassing authentication.
Recommendations
For CleverStupidDog yf-exam version 1.8.0, consider regenerating the JWT key with a secure, non-fixed value to prevent token forgery. Additionally, restrict the use of username format characters in stored keys to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cleverstupiddog Yf-Exam