Soumettre #735349: Zhongbang CRMEB v5.6.3 Authentication Bypass byinformation

TitreZhongbang CRMEB v5.6.3 Authentication Bypass by
DescriptionThe remote_register endpoint accepts base64-encoded JSON tokens without verifying JWT signatures. Attackers can forge arbitrary tokens to create unlimited fake accounts or login as any existing user by specifying any uid value. The root cause is using JWT::urlsafeB64Decode() instead of JWT::decode(). The former only decodes base64 without cryptographic signature verification, while the latter properly validates JWT signatures.
La source⚠️ https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md
Utilisateur
 Ho Cherry (UID 94105)
Soumission09/01/2026 15:53 (il y a 5 mois)
Modérer19/01/2026 16:28 (10 days later)
StatutAccepté
Entrée VulDB341789 [CRMEB jusqu’à 5.6.3 JSON Token LoginServices.php remoteRegister uid authentification faible]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!