CVE-2023-25403

Published: Mar 3, 2023Modified: Mar 7, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Authentication Bypass. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.

Affected (1)

Products: Yf Exam Project: Yf Exam

Yf Exam Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yf Exam Project Yf Exam	Version 1.8.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/CleverStupidDog/yf-exam/issues/2

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/Fw-fW-fw/UPDATE-CVE/blob/main/CVE-2023-25403

Source: cve@mitre.org

Third Party Advisory

https://github.com/CleverStupidDog/yf-exam/issues/2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/Fw-fW-fw/UPDATE-CVE/blob/main/CVE-2023-25403

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.