Vulnerability Summary
Hardcoded admin token in public JS → unauthenticated admin API session → live tampering of 774 public form labels (legal/payment/support text) on a government portal, plus AES password-encryption key disclosure.
A hardcoded authentication token was embedded in a public JavaScript bundle served from the admin panel at /forms/[APP]/admin/assets/index-[hash].js.
An unauthenticated attacker could extract this token, exchange it for a valid admin API session through the vLogin endpoint — no credentials, no captcha, no OTP — and then use that session to modify the 774 UI language strings (386 English + 388 Arabic) rendered to every visitor of a public, government-facing certificate-verification form. Modifiable content included form labels, payment text, legal authorization (Letter of Authorization) documents, support contact details and button text.
The changes propagated in real time to the public getLangMaster API and rendered on the form immediately. The same JS file also exposed the AES encryption key (aesEncryptionKey...) used to encrypt all user passwords in the system, along with server file paths, internal hostnames and verbose PHP stack traces.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In