Hard-coded JWT Secret in Headwind MDM Web Panel 5.22.1 Allows for Incorrect Access Control

Hard-coded JWT Secret in Headwind MDM Web Panel 5.22.1 Allows for Incorrect Access Control

CVE-2023-47315 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret. The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens.

Learn more about our Web App Pen Testing.