You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability description:
Exiting login in src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl. java does not eliminate JWT, and this system JWT can be used universally. Any server using this system will be attacked. In the interface, change JWT to eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzQ5NTQ2NjEsInVzZXJuYW1lIjoicGVyc29uIn0.6tEVOLvOYme17vn8p4UF2mTG2oxwtCPgHzgQ7Fxmgga4, and you can log in without logging in. Directly obtain administrator privileges for any system.
Code Audit:
Exiting login in src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControlle.jva did not eliminate jwt
Vulnerability verification:
Currently not logged in
Directly send the following data packet, just change the host to your own IP and port, and JWT does not need to be modified
You can directly use a fixed JWT (eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzQ5NTQ2NjEsInVzZXJuYW1lIjoicGVyc29uIn0.6tEVOLvOYme17vn8p4UF2mTG2oxwtCPgHzgQ7Fxmga4) to call any interface of this system. Any website that uses this system will be attacked, causing great harm
The text was updated successfully, but these errors were encountered:
Source Code Developer: Beijing Yunfan Internet Technology Co., Ltd
Source code name:yfexam-exam
Source code version:1.9.2
Source code official website:https://www.jeedocm.com/?plan=githuby
Source code download link:https://github.com/qiutiandefeng/yfexam-exam/archive/refs/heads/main.zip
Vulnerability description:
Exiting login in src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl. java does not eliminate JWT, and this system JWT can be used universally. Any server using this system will be attacked. In the interface, change JWT to eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzQ5NTQ2NjEsInVzZXJuYW1lIjoicGVyc29uIn0.6tEVOLvOYme17vn8p4UF2mTG2oxwtCPgHzgQ7Fxmgga4, and you can log in without logging in. Directly obtain administrator privileges for any system.
Code Audit:
Exiting login in src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControlle.jva did not eliminate jwt
Vulnerability verification:
Currently not logged in
Directly send the following data packet, just change the host to your own IP and port, and JWT does not need to be modified
You can directly use a fixed JWT (eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzQ5NTQ2NjEsInVzZXJuYW1lIjoicGVyc29uIn0.6tEVOLvOYme17vn8p4UF2mTG2oxwtCPgHzgQ7Fxmga4) to call any interface of this system. Any website that uses this system will be attacked, causing great harm
The text was updated successfully, but these errors were encountered: