Vulnerabilities

CVE-2025-30064

by Fred · 27/08/2025

An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the “ex:action” parameter in the VerifyUserByThrustedService function to generate a session for any user.

More information : https://cert.pl/en/posts/2025/08/CVE-2025-2313/

Similar

Tags: Cybersecurity Alert