FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to…
mitre·CWE-798·Published 2026-02-03
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.
FUXA v1.2.7 contiene una vulnerabilidad de credenciales codificadas de forma rígida en server/api/jwt-helper.js. La aplicación utiliza una clave secreta codificada de forma rígida para firmar y verificar tokens JWT. Esto permite a atacantes remotos forjar tokens de administrador válidos y eludir la autenticación para obtener acceso administrativo completo.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 9.8 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 9.8 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 8.1 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 4.0 | Secondary | GHSA | 8.1 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |