CWE-276
AllowedIncorrect Default Permissions
Abstraction: Base · Status: Draft
During installation, installed file permissions are set to allow anyone to modify those files.
2035 vulnerabilities reference this CWE, most recent first.
GHSA-6V84-2CCF-99QX
Vulnerability from github – Published: 2022-04-27 00:00 – Updated: 2022-05-07 00:01An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).
{
"affected": [],
"aliases": [
"CVE-2022-28218"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).",
"id": "GHSA-6v84-2ccf-99qx",
"modified": "2022-05-07T00:01:05Z",
"published": "2022-04-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28218"
},
{
"type": "WEB",
"url": "https://ciphermail.com"
},
{
"type": "WEB",
"url": "https://lists.ciphermail.com/hyperkitty/list/security@lists.ciphermail.com/thread/WRWHQUACXWXQA42KXXQQ6EEP6SBBM5BM"
},
{
"type": "WEB",
"url": "https://www.ciphermail.com/webmail-release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VVF-X3W7-J2C2
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-07-13 00:00In onStart of MainActivity.java, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142936525
{
"affected": [],
"aliases": [
"CVE-2020-0202"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "In onStart of MainActivity.java, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142936525",
"id": "GHSA-6vvf-x3w7-j2c2",
"modified": "2022-07-13T00:00:42Z",
"published": "2022-05-24T17:20:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0202"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-06-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6VWP-MFGG-RH6C
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-38379"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permissions that allow local Information Disclosure.",
"id": "GHSA-6vwp-mfgg-rh6c",
"modified": "2022-05-24T19:18:57Z",
"published": "2022-05-24T19:18:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38379"
},
{
"type": "WEB",
"url": "https://cfengine.com/blog/2021/cve-2021-38379-and-cve-2021-36756"
},
{
"type": "WEB",
"url": "https://docs.cfengine.com/docs/3.18/enterprise-cfengine-guide.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6W33-QWCQ-2QR3
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In devicepolicy service, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155183624
{
"affected": [],
"aliases": [
"CVE-2020-0297"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T21:15:00Z",
"severity": "MODERATE"
},
"details": "In devicepolicy service, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155183624",
"id": "GHSA-6w33-qwcq-2qr3",
"modified": "2022-05-24T17:28:35Z",
"published": "2022-05-24T17:28:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0297"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6W4Q-23CF-J9JP
Vulnerability from github – Published: 2022-09-21 18:32 – Updated: 2022-09-21 18:32Impact
A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.
Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity.
The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user.
While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs.
Patches
The fix prevents writing to foreign session objects, even if the session object ID is known.
Workarounds
Add a beforeSave trigger to the _Session class and prevent writing if the requesting user is different from the user in the session object.
References
- GitHub advisory GHSA-6w4q-23cf-j9jp
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39225"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-669"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T18:32:01Z",
"nvd_published_at": "2022-09-23T07:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object.\n\nNote that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity.\n\nThe vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user.\n\nWhile it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs.\n\n### Patches\n\nThe fix prevents writing to foreign session objects, even if the session object ID is known.\n\n### Workarounds\n\nAdd a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object.\n\n### References\n\n- GitHub advisory [GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp)",
"id": "GHSA-6w4q-23cf-j9jp",
"modified": "2022-09-21T18:32:01Z",
"published": "2022-09-21T18:32:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39225"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/37fed3062ccc3ef1dfd49a9fc53318e72b3e4aff"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.10.15"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.2.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "parse-server\u0027s session object properties can be updated by foreign user if object ID is known"
}
GHSA-6X32-2MJM-X4R9
Vulnerability from github – Published: 2024-11-20 00:32 – Updated: 2024-11-20 18:32In createPhonebookDialogView and createMapDialogView of BluetoothPermissionActivity.java, there is a possible permissions bypass. This could lead to local escalation of privilege due to hiding and bypassing the user's ability to disable access to contacts, with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2018-9432"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T22:15:19Z",
"severity": "HIGH"
},
"details": "In createPhonebookDialogView and createMapDialogView of BluetoothPermissionActivity.java, there is a possible permissions bypass. This could lead to local escalation of privilege due to hiding and bypassing the user\u0027s ability to disable access to contacts, with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-6x32-2mjm-x4r9",
"modified": "2024-11-20T18:32:16Z",
"published": "2024-11-20T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9432"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6X35-4QMM-3QJG
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:47An Incorrect Default Permissions vulnerability in the BDLDaemon component of Bitdefender AV for Mac allows an attacker to elevate permissions to read protected directories. This issue affects: Bitdefender AV for Mac versions prior to 8.0.0.
{
"affected": [],
"aliases": [
"CVE-2019-17103"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T14:15:00Z",
"severity": "MODERATE"
},
"details": "An Incorrect Default Permissions vulnerability in the BDLDaemon component of Bitdefender AV for Mac allows an attacker to elevate permissions to read protected directories. This issue affects: Bitdefender AV for Mac versions prior to 8.0.0.",
"id": "GHSA-6x35-4qmm-3qjg",
"modified": "2024-04-04T02:47:04Z",
"published": "2022-05-24T17:07:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17103"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/support/security-advisories/get-task-allow-entitlement-via-bdldaemon-macos-va-3448"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X3J-5VFG-CRPG
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-17 00:00In ConnectivityService, there is a possible bypass of network permissions due to a missing permission check. This could lead to local information disclosure of tethering interfaces with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-162952629
{
"affected": [],
"aliases": [
"CVE-2022-20341"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "In ConnectivityService, there is a possible bypass of network permissions due to a missing permission check. This could lead to local information disclosure of tethering interfaces with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-162952629",
"id": "GHSA-6x3j-5vfg-crpg",
"modified": "2022-08-17T00:00:33Z",
"published": "2022-08-13T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20341"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6X7X-GCMF-7R8X
Vulnerability from github – Published: 2026-07-09 20:57 – Updated: 2026-07-09 20:57Summary
The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.
The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.
Details
Three issues compose the vulnerability.
actions/EraseSpamedCommentsAction.phpperforms no authorization check before processing$_POST['clean']/$_POST['suppr'][]inactions/EraseSpamedCommentsAction.php:
```php
public function run()
{
$wiki = &$this->wiki;
ob_start();
// ...
elseif (isset($_POST['clean'])) {
$deletedPages = '';
if (!empty($_POST['suppr'])) {
foreach ($_POST['suppr'] as $page) {
echo 'Effacement de : ' . $page . "
\n";
if ($wiki->services->get(PageController::class)->delete($page)) {
$deletedPages .= $page . ', ';
}
}
}
}
} ```
No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.
- The default action ACL grants access to everyone in
includes/YesWiki.php:
php
$acl = empty($this->config['permissions'][$moduleType][$module])
? '*'
: $this->config['permissions'][$moduleType][$module];
php
if ($acl === null) { return true; }
return $this->CheckACL($acl, $user);
No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.
PageController::delete()andPageManager::deleteOrphaned()perform no authorization check and do not validate that the page is actually orphaned inincludes/controllers/PageController.php:38–48:
php
public function delete(string $tag): bool
{
if ($this->entryManager->isEntry($tag)) {
return $this->entryController->delete($tag);
} else {
$this->pageManager->deleteOrphaned($tag);
$this->wiki->LogAdministrativeAction(
$this->authController->getLoggedUserName(),
'Suppression de la page ->""' . $tag . '""'
);
return true;
}
}
in includes/services/PageManager.php:289–310:
php
public function deleteOrphaned($tag)
{
if ($this->securityController->isWikiHibernated()) { throw new \Exception(_t('WIKI_IN_HIBERNATION')); }
unset($this->ownersCache[$tag]);
if (in_array($tag, $this->pageCache)) { unset($this->pageCache[$tag]); }
$this->dbService->query("DELETE FROM ... WHERE tag='{$this->dbService->escape($tag)}' OR comment_on='{$this->dbService->escape($tag)}'");
$this->dbService->query("DELETE FROM ...links... WHERE from_tag='{$this->dbService->escape($tag)}' ");
$this->dbService->query("DELETE FROM ...acls... WHERE page_tag='{$this->dbService->escape($tag)}' ");
// ...further unconditional DELETEs across triples, referrers, tags
}
The companion isOrphaned() method (line 284) exists but is never called from deleteOrphaned(). The function name is misleading as it deletes any page, not just orphans.
PoC
Default fresh install where default_write_acl='*' (per includes/YesWikiInit.php:219), anonymous browsing.
- create a trigger page (anonymous)
POST /?wiki=SpamCleanup/edit HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
body=%7B%7Berasespamedcomments%7D%7D&submit=1
This succeeds because the new page passes aclService->hasAccess('write', 'SpamCleanup') against default_write_acl='*'.
- trigger arbitrary page deletion (anonymous)
POST /?wiki=SpamCleanup HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
clean=yes&suppr%5B0%5D=PagePrincipale&suppr%5B1%5D=AnotherTargetPage
Server response includes Effacement de : PagePrincipale and Effacement de : AnotherTargetPage. pages, links, acls, triples, referrers, and tags rows for those tags are deleted from the database.
Impact
Arbitrary page deletion, including the front page (PagePrincipale).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52766"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:57:25Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe `{{erasespamedcomments}}` wiki action (`actions/EraseSpamedCommentsAction.php`) accepts a `suppr[]` array from `POST` and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki\u0027s allow-by-default action ACL model, any user who has page write access, which is the default for everyone (`default_write_acl=\u0027*\u0027`) on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.\n\nThe action\u0027s `delete()` callee is `PageManager::deleteOrphaned()`, which despite its name does not check whether the target page is orphaned: it issues an unconditional `DELETE` against `pages`, `links`, `acls`, `triples`, `referrers`, and `tags` tables.\n\n### Details\n\nThree issues compose the vulnerability.\n\n1. `actions/EraseSpamedCommentsAction.php` performs no authorization check before processing `$_POST[\u0027clean\u0027]` / `$_POST[\u0027suppr\u0027][]` in `actions/EraseSpamedCommentsAction.php`:\n\n ```php\n public function run()\n {\n $wiki = \u0026$this-\u003ewiki;\n ob_start();\n // ...\n elseif (isset($_POST[\u0027clean\u0027])) { \n $deletedPages = \u0027\u0027;\n if (!empty($_POST[\u0027suppr\u0027])) { \n foreach ($_POST[\u0027suppr\u0027] as $page) {\n echo \u0027Effacement de : \u0027 . $page . \"\u003cbr /\u003e\\n\";\n if ($wiki-\u003eservices-\u003eget(PageController::class)-\u003edelete($page)) { \n $deletedPages .= $page . \u0027, \u0027;\n }\n }\n }\n \n }\n }\n ```\n\n No `UserIsAdmin()`, no `UserIsOwner()`, no `HasAccess(\u0027write\u0027, $page)` per-target check, no CSRF token check.\n\n2. The default action ACL grants access to everyone in `includes/YesWiki.php`:\n\n ```php\n $acl = empty($this-\u003econfig[\u0027permissions\u0027][$moduleType][$module])\n ? \u0027*\u0027\n : $this-\u003econfig[\u0027permissions\u0027][$moduleType][$module];\n ```\n\n ```php\n if ($acl === null) { return true; }\n return $this-\u003eCheckACL($acl, $user);\n ```\n\n No shipped `permissions` map gates `erasespamedcomments` to admins, so `Performer::CheckModuleACL(\u0027erasespamedcomments\u0027, \u0027action\u0027)` returns `true` for anonymous users.\n\n3. `PageController::delete()` and `PageManager::deleteOrphaned()` perform no authorization check and do not validate that the page is actually orphaned in `includes/controllers/PageController.php:38\u201348`:\n\n ```php\n public function delete(string $tag): bool\n {\n if ($this-\u003eentryManager-\u003eisEntry($tag)) {\n return $this-\u003eentryController-\u003edelete($tag);\n } else {\n $this-\u003epageManager-\u003edeleteOrphaned($tag);\n $this-\u003ewiki-\u003eLogAdministrativeAction(\n $this-\u003eauthController-\u003egetLoggedUserName(),\n \u0027Suppression de la page -\u003e\"\"\u0027 . $tag . \u0027\"\"\u0027\n );\n return true;\n }\n }\n ```\nin `includes/services/PageManager.php:289\u2013310`:\n ```php\n public function deleteOrphaned($tag)\n {\n if ($this-\u003esecurityController-\u003eisWikiHibernated()) { throw new \\Exception(_t(\u0027WIKI_IN_HIBERNATION\u0027)); }\n unset($this-\u003eownersCache[$tag]);\n if (in_array($tag, $this-\u003epageCache)) { unset($this-\u003epageCache[$tag]); }\n $this-\u003edbService-\u003equery(\"DELETE FROM ... WHERE tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 OR comment_on=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027\");\n $this-\u003edbService-\u003equery(\"DELETE FROM ...links... WHERE from_tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 \");\n $this-\u003edbService-\u003equery(\"DELETE FROM ...acls... WHERE page_tag=\u0027{$this-\u003edbService-\u003eescape($tag)}\u0027 \");\n // ...further unconditional DELETEs across triples, referrers, tags\n }\n ```\n\n The companion `isOrphaned()` method (line 284) exists but is never called from `deleteOrphaned()`. The function name is misleading as it deletes any page, not just orphans.\n\n### PoC\n\nDefault fresh install where `default_write_acl=\u0027*\u0027` (per `includes/YesWikiInit.php:219`), anonymous browsing.\n\n1. create a trigger page (anonymous)\n\n```http\nPOST /?wiki=SpamCleanup/edit HTTP/1.1\nHost: target.example\nContent-Type: application/x-www-form-urlencoded\n\nbody=%7B%7Berasespamedcomments%7D%7D\u0026submit=1\n```\n\nThis succeeds because the new page passes `aclService-\u003ehasAccess(\u0027write\u0027, \u0027SpamCleanup\u0027)` against `default_write_acl=\u0027*\u0027`.\n\n2. trigger arbitrary page deletion (anonymous)\n\n```http\nPOST /?wiki=SpamCleanup HTTP/1.1\nHost: target.example\nContent-Type: application/x-www-form-urlencoded\n\nclean=yes\u0026suppr%5B0%5D=PagePrincipale\u0026suppr%5B1%5D=AnotherTargetPage\n```\n\nServer response includes `Effacement de : PagePrincipale` and `Effacement de : AnotherTargetPage`. `pages`, `links`, `acls`, `triples`, `referrers`, and `tags` rows for those tags are deleted from the database.\n\n### Impact\n\n Arbitrary page deletion, including the front page (`PagePrincipale`).",
"id": "GHSA-6x7x-gcmf-7r8x",
"modified": "2026-07-09T20:57:25Z",
"published": "2026-07-09T20:57:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-6x7x-gcmf-7r8x"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/ed5b548a705c8091ba0282aaaba73ddda976abef"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action"
}
GHSA-6X8M-F958-Q43M
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-23 00:01Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.
{
"affected": [],
"aliases": [
"CVE-2022-23996"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.",
"id": "GHSA-6x8m-f958-q43m",
"modified": "2022-02-23T00:01:28Z",
"published": "2022-02-12T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23996"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=2"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-1
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.