Summary

Acunetix 360 detected an Out of Band Command Injection vulnerability inside the kid parameter of a JSON Web Token. It was detected by capturing a DNS A request, which occurs when input data is interpreted as an operating system command.

  • Use an allow-list of valid values and disallow any other input.

    • Severity

    Critical

    Classification

    PCI v3.2-6.5.1 CAPEC-88 CWE-78 ISO27001-A.14.2.5 WASC-31 OWASP 2013-A1 OWASP 2017-A1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H