JWT algorithm confusion
We sent a token with an invalid algorithm and it was accepted by the server. In this case, HS256 (HMAC with SHA-256) is a symmetric algorithm, which means that the same key is used to sign and verify the token.
You must enforce the algorithm used to sign the token.
Ignore this check
Escape Severity: HIGH
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- CVSS_SCORE: 9.3