An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user.
Exploitability
AV:LAC:HAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:HSI:HSA:H8.8/CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H