CVE-2024-57432

Name of the Vulnerable Software and Affected Versions macrozheng mall-tiny version 1.0.1

Description The issue concerns insecure permissions in the application. Specifically, the JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management. This makes it possible to forge the JWT of any user, allowing for authentication bypass.

Recommendations For macrozheng mall-tiny version 1.0.1, consider regenerating and securely storing the JWT signing keys to prevent unauthorized access. As a temporary workaround, restrict the use of user information in the JWT to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.