SYM_RB_0002 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code is storing user passwords inside the payload of JWT tokens. Since JWT payloads are only base64 encoded and not encrypted, anyone with access to the token can read the password.
Impact
If exploited, attackers who obtain a JWT token can easily extract and steal user passwords, leading to account compromises, unauthorized access, and broader security breaches across your system or other services where users reuse passwords.