Hireflow
Monthly
Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.
Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.