Submit #603726: https://github.com/mao888 https://github.com/mao888/bluebell-plus v2.3.0 Authorization Bypassinfo

Titlehttps://github.com/mao888 https://github.com/mao888/bluebell-plus v2.3.0 Authorization Bypass
DescriptionThe JWT secret key is hardcoded in the source code, making it easy for an attacker to forge valid JWT tokens and bypass authentication mechanisms.You can easily forge a valid Token and create any posts or comments with it. Details can be found in https://github.com/mao888/bluebell-plus/issues/35.
Source⚠️ https://github.com/mao888/bluebell-plus/issues/35
User
 Tritium (UID 50779)
Submission06/25/2025 11:37 (10 months ago)
Moderation07/05/2025 14:45 (10 days later)
StatusAccepted
VulDB entry314993 [mao888 bluebell-plus up to 2.3.0 JWT Token jwt.go mySecret hard-coded password]
Points18

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!