CVE-2023-5074
D-View 8 supports login with an API key, but the supplied API key in the JWT token (accessToken) is not checked if there is no API key configured for the login user. With a known JWT secret key, an unauthenticated remote attacker can craft a valid JWT token and use the token to access protected APIs.
