Reusable JWT Tokens without Expiration in tangro Business Workflow 1.18.1 and Earlier

Reusable JWT Tokens without Expiration in tangro Business Workflow 1.18.1 and Earlier

CVE-2020-26172 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.

Learn more about our Web Application Penetration Testing UK.