CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24804 – Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF
https://notcve.org/view.php?id=CVE-2021-24804
The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. El plugin Simple JWT Login de WordPress versiones anteriores a 3.2.1, no presenta comprobaciones de nonce cuando guarda sus configuraciones, lo que permite a atacantes hacer que un administrador conectado las cambie. Ajustes como el secreto de verificación HMAC, el registro de la cuenta y los roles de usuario por defecto pueden ser actualizados, lo que podría resultar en una toma de posesión del sitio • https://wpscan.com/vulnerability/6f015e8e-462b-4ef7-a9a1-bb91e7d28e37 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24998 – Simple JWT Login < 3.3.0 - Insecure Password Creation
https://notcve.org/view.php?id=CVE-2021-24998
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. El plugin Simple JWT Login de WordPress versiones anteriores a 3.3.0, puede ser usado para crear nuevas cuentas de usuario en WordPress con una contraseña generada aleatoriamente. La contraseña es generada usando la función str_shuffle de PHP que "no genera valores criptográficamente seguros, y no debe ser usado para propósitos criptográficos" según la documentación de PHP The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. • https://plugins.trac.wordpress.org/changeset/2613782 https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb • CWE-326: Inadequate Encryption Strength CWE-330: Use of Insufficiently Random Values •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10555
https://notcve.org/view.php?id=CVE-2016-10555
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. Como "algorithm" no se aplica en jwt.decode() en jwt-simple en versiones 0.3.0 y anteriores, un usuario malicioso podría elegir qué algoritmo se envía al servidor. Si el servidor espera RSA pero recibe HMAC-SHA con la clave pública RSA, el servidor pensará que la clave pública es, en realidad, una clave privada HMAC. • https://github.com/thepcn3rd/jwtToken-CVE-2016-10555 https://github.com/scent2d/PoC-CVE-2016-10555 https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries https://github.com/hokaccha/node-jwt-simple/pull/14 https://github.com/hokaccha/node-jwt-simple/pull/16 https://nodesecurity.io/advisories/87 • CWE-20: Improper Input Validation CWE-310: Cryptographic Issues •