Description
Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.
References
suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/
