Submeter #735349: Zhongbang CRMEB v5.6.3 Authentication Bypass byinformação

TítuloZhongbang CRMEB v5.6.3 Authentication Bypass by
DescriçãoThe remote_register endpoint accepts base64-encoded JSON tokens without verifying JWT signatures. Attackers can forge arbitrary tokens to create unlimited fake accounts or login as any existing user by specifying any uid value. The root cause is using JWT::urlsafeB64Decode() instead of JWT::decode(). The former only decodes base64 without cryptographic signature verification, while the latter properly validates JWT signatures.
Fonte⚠️ https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md
Utilizador
 Ho Cherry (UID 94105)
Submissão09/01/2026 15h53 (há 5 meses)
Moderação19/01/2026 16h28 (10 days later)
EstadoAceite
Entrada VulDB341789 [CRMEB até 5.6.3 JSON Token LoginServices.php remoteRegister uid Autenticação fraca]
Pontos20

VoltarVisão GeralPróximo

Do you know our Splunk app?

Download it now for free!