Creativeitem Academy LMS Hardcoded JWT Secret Authentication Bypass Vulnerability

A vulnerability exists in Creativeitem Academy LMS versions through 6.14, where a hardcoded default JSON Web Token (JWT) secret is used for signing tokens. This predictable secret enables attackers to forge valid JWT tokens, bypass authentication, and gain unauthorized access to user accounts, including administrative privileges. The vulnerability arises from the use of a static secret that is the same across all default installations, allowing for easy exploitation once the secret is known.

Impact

Exploitation of this vulnerability allows for authentication bypass, unauthorized access to user accounts, and privilege escalation to administrative rights. Attackers can access sensitive user data and system functions, depending on the account accessed.

Reproduction

The vulnerability can be reproduced by obtaining the default JWT secret from the source code of Academy LMS versions through 6.14. Once the secret is known, an attacker can forge JWT tokens using the HS256 algorithm. This forged token can then be used to authenticate as any user, including an administrator.

Remediation

Users are advised to change the JWT secret to a secure, random value, invalidate all existing JWT tokens, and force users to re-authenticate. The new secret should be stored in environment variables or a secure configuration file, rather than hardcoded in the source code.