An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the ex:action parameter in the VerifyUserByThrustedService function to generate a session for any user.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.