Description

JSON Web Token (JWT) can be digitally signed for protection against data tampering. For this purpose the web application uses the HMAC algorithm with a secret key. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of secret to a long random string

References

JSON Web Token

Related Vulnerabilities

Reverse Proxy Detected

Unrestricted access to Caddy API interface

Docker Engine API is accessible without authentication

Insecure Transportation Security Protocol Supported (SSLv2)

JavaMelody publicly accessible

Severity

Critical

Classification

CWE-345 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials