Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5980 vulnerabilities reference this CWE, most recent first.

GHSA-PPWP-GX43-6M45

Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2024-04-04 08:34
VLAI
Details

An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-11T16:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.",
  "id": "GHSA-ppwp-gx43-6m45",
  "modified": "2024-04-04T08:34:05Z",
  "published": "2023-10-11T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24479"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1762"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPWQ-8QP3-J45P

Vulnerability from github – Published: 2022-05-17 02:02 – Updated: 2022-05-17 02:02
VLAI
Details

The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-0489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-18T18:03:00Z",
    "severity": "HIGH"
  },
  "details": "The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications.  NOTE: some of these details are obtained from third party information.",
  "id": "GHSA-ppwq-8qp3-j45p",
  "modified": "2022-05-17T02:02:17Z",
  "published": "2022-05-17T02:02:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0489"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64699"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/70424"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42901"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/15988"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/782567"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/45803"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PPXP-5C57-GJQ2

Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2022-05-14 01:49
VLAI
Details

Some Huawei smartphones ALP-AL00B 8.0.0.118D(C00), ALP-TL00B 8.0.0.118D(C01), BLA-AL00B 8.0.0.118D(C00), BLA-L09C 8.0.0.127(C432), 8.0.0.128(C432), 8.0.0.137(C432), BLA-L29C 8.0.0.129(C432), 8.0.0.137(C432) have an authentication bypass vulnerability. When the attacker obtains the user's smartphone, the vulnerability can be used to replace the start-up program so that the attacker can obtain the information in the smartphone and achieve the purpose of controlling the smartphone.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-13T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Some Huawei smartphones ALP-AL00B 8.0.0.118D(C00), ALP-TL00B 8.0.0.118D(C01), BLA-AL00B 8.0.0.118D(C00), BLA-L09C 8.0.0.127(C432), 8.0.0.128(C432), 8.0.0.137(C432), BLA-L29C 8.0.0.129(C432), 8.0.0.137(C432) have an authentication bypass vulnerability. When the attacker obtains the user\u0027s smartphone, the vulnerability can be used to replace the start-up program so that the attacker can obtain the information in the smartphone and achieve the purpose of controlling the smartphone.",
  "id": "GHSA-ppxp-5c57-gjq2",
  "modified": "2022-05-14T01:49:50Z",
  "published": "2022-05-14T01:49:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7910"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181101-01-bypass-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ3X-96C3-XGJG

Vulnerability from github – Published: 2018-07-23 19:50 – Updated: 2026-06-06 14:41
VLAI
Summary
Moderate severity vulnerability that affects Products.PlonePAS
Details

The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Products.PlonePAS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3"
            },
            {
              "fixed": "3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2009-0662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:49:46Z",
    "nvd_published_at": "2009-04-23T17:30:01Z",
    "severity": "MODERATE"
  },
  "details": "The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.",
  "id": "GHSA-pq3x-96c3-xgjg",
  "modified": "2026-06-06T14:41:09Z",
  "published": "2018-07-23T19:50:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0662"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50061"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-pq3x-96c3-xgjg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2009-17.yaml"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/53975"
    },
    {
      "type": "WEB",
      "url": "http://plone.org/products/plone/security/advisories/cve-2009-0662"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34840"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/34664"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Moderate severity vulnerability that affects Products.PlonePAS"
}

GHSA-PQ62-7RF2-MHCM

Vulnerability from github – Published: 2024-12-21 00:33 – Updated: 2024-12-21 00:33
VLAI
Details

The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Service on the devices or registered the device. This could enable an attacker to configure, manage, and execute AT commands on an unsuspecting user’s devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-21T00:15:27Z",
    "severity": "HIGH"
  },
  "details": "The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered \ndevices on the AirVantage platform when the owner has not disabled the AirVantage Management \nService on the devices or registered the device. This could enable an attacker to configure, manage, \nand execute AT commands on an unsuspecting user\u2019s devices.",
  "id": "GHSA-pq62-7rf2-mhcm",
  "modified": "2024-12-21T00:33:05Z",
  "published": "2024-12-21T00:33:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31279"
    },
    {
      "type": "WEB",
      "url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ7P-MC74-G65W

Vulnerability from github – Published: 2026-05-05 21:17 – Updated: 2026-05-13 16:26
VLAI
Summary
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
Details

A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians.

In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the victim gets invited or decides to sign up to your app on their own with provider "B" (PocketBase OAuth2 auth requires to be with a different provider because we don't allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user), the user created previously by the attacker will be autolinked, upgraded to "verified" and its old password reset.

The upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.

Or in other words, the vulnerability is similar to the mixed password + OAuth2 auth pre-hijacking issue that we had in the past but with a slightly different angle.

So with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on "unverified" to "verified" upgrades.

While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 (or to v0.22.42 if you are using an older <v0.23.0 release).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pocketbase/pocketbase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pocketbase/pocketbase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0"
            },
            {
              "fixed": "0.37.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:17:19Z",
    "nvd_published_at": "2026-05-12T18:17:29Z",
    "severity": "MODERATE"
  },
  "details": "A pre-hijacking issue was discovered with the OAuth2 autolinking by [Alardiians](https://github.com/Alardiians).\n\nIn some situations, if an attacker knows the email address of the victim they can create and link an **unverified** PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. \"A\". When the victim gets invited or decides to sign up to your app on their own with provider \"B\" _(PocketBase OAuth2 auth requires to be with a different provider because we don\u0027t allow multiple OAuth2 accounts from the same provider to be associated to a single PocketBase user)_, the user created previously by the attacker will be autolinked, upgraded to **\"verified\"** and its old password reset.\n\nThe upgrade flow operates within the expectations but the problem is that I forgot to clear the previous OAuth2 link(s) leaving the attacker to still have access to the initially created user.\n\nOr in other words, the vulnerability is similar to the [mixed password + OAuth2 auth pre-hijacking issue](https://github.com/pocketbase/pocketbase/security/advisories/GHSA-m93w-4fxv-r35v) that we had in the past but with a slightly different angle.\n\nSo with that in mind, and to avoid introducing breaking changes to the auth flows, a new fix was applied that automatically deletes all such pre-existing OAuth2 links on \"unverified\" to \"verified\" upgrades.\n\n**While the vulnerability requires some prerequisites, it is considered severe and it is strongly recommended to upgrade to v0.37.4 _(or to v0.22.42 if you are using an older \u003cv0.23.0 release)_.**",
  "id": "GHSA-pq7p-mc74-g65w",
  "modified": "2026-05-13T16:26:55Z",
  "published": "2026-05-05T21:17:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pocketbase/pocketbase/security/advisories/GHSA-pq7p-mc74-g65w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44166"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pocketbase/pocketbase"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied-\u003everified autolinking upgrade"
}

GHSA-PQ96-PWVG-VRR9

Vulnerability from github – Published: 2026-04-14 23:33 – Updated: 2026-04-24 20:30
VLAI
Summary
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control
Details

Summary

frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password.

This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature.

Details

The issue is in pkg/util/vhost/http.go.

In proxy-style requests using an absolute URI, the routing path extracts the username from Proxy-Authorization and stores it as the request HTTPUser, which is then used for routeByHTTPUser route selection.

More specifically, injectRequestInfoToCtx() derives the routing user from Proxy-Authorization, while the original ServeHTTP() implementation used req.BasicAuth() for the authentication check.

Because routing and authentication use different credential sources, a request can be routed to a protected backend based on the Proxy-Authorization username while the authentication check is not performed against the same credentials. This creates an authentication bypass when routeByHTTPUser, httpUser, and httpPassword are used together.

This is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use routeByHTTPUser and where the target user value is known or can be inferred.

A minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from Proxy-Authorization consistently.

From local Git history analysis, this logic appears to have been introduced by commit 4af85da0c2c6eb981142a8fdb44f885d26cb9d08, with the earliest containing release tag appearing to be v0.43.0.

PoC

I reproduced the issue with the official frp_0.68.0_linux_amd64.tar.gz release binaries both locally and on an internet-reachable test server under my control.

Minimal setup: - frps exposes an HTTP vhost entrypoint. - One HTTP proxy is configured with: - customDomains = ["example.test"] - routeByHTTPUser = "alice" - httpUser = "alice" - httpPassword = "secret" - The protected backend returns a constant marker string: PRIVATE.

Minimal request flow: 1. Direct unauthenticated request: - curl -i --proxy '' -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/ - Result: 404 Not Found

  1. Direct request with correct backend credentials:
  2. curl -i --proxy '' -u alice:secret -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/
  3. Result: 200 OK, body contains PRIVATE

  4. Proxy-style request with incorrect Proxy-Authorization:

  5. curl -i --noproxy '' -x http://<FRPS_HOST>:<VHOST_HTTP_PORT> --proxy-user alice:wrong http://example.test/
  6. Result: 200 OK, body contains PRIVATE

Observed minimal result summary: - DIRECT_NOAUTH -> 404 - DIRECT_BASICAUTH_GOOD -> 200 PRIVATE - PROXY_PROXYAUTH_WRONGPASS -> 200 PRIVATE

This was reproduced against the official binary, not only against a local source build.

Impact

This is an authentication bypass leading to unauthorized access to a protected backend.

The practical impact depends on what service is behind the protected route. Examples include private application endpoints, internal administration panels, loopback-only local services, or development and operations interfaces.

Important boundary: if the protected backend is an frpc admin API that is separately protected by its own webServer.user / webServer.password, this issue only bypasses the outer vhost restriction and does not automatically bypass the inner admin authentication. In that case, the request may still reach the backend but correctly receive 401 Unauthorized from the inner layer.

There is also a deployment-specific downstream impact path. If the bypassed backend is an frpc admin API without separate inner authentication, and if that frpc instance permits store-based proxy management, an attacker may be able to create additional plugin-based proxies through the admin API. In deployments where a unix_domain_socket proxy can be used to expose Docker's Unix socket, this may further expose the Docker API and potentially enable host-level command execution through Docker. This follow-on consequence depends on multiple additional deployment conditions and should be treated as a conditional downstream impact rather than the core vulnerability itself.

Because exploitation requires a deployment to explicitly use routeByHTTPUser, and because the attacker must know or be able to guess the target routeByHTTPUser value, the issue is better classified as a configuration-dependent authentication bypass rather than a default-configuration issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.68.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fatedier/frp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.43.0"
            },
            {
              "fixed": "0.68.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:33:15Z",
    "nvd_published_at": "2026-04-21T21:16:45Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nfrp contains an authentication bypass in the HTTP vhost routing path when `routeByHTTPUser` is used as part of access control. In proxy-style requests, the routing logic uses the username from `Proxy-Authorization` to select the `routeByHTTPUser` backend, while the access control check uses credentials from the regular `Authorization` header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected `routeByHTTPUser` value may access a backend protected by `httpUser` / `httpPassword` even with an incorrect `Proxy-Authorization` password.\n\nThis issue affects deployments that explicitly use `routeByHTTPUser`. It does not affect ordinary HTTP proxies that do not use this feature.\n\n### Details\nThe issue is in `pkg/util/vhost/http.go`.\n\nIn proxy-style requests using an absolute URI, the routing path extracts the username from `Proxy-Authorization` and stores it as the request `HTTPUser`, which is then used for `routeByHTTPUser` route selection.\n\nMore specifically, `injectRequestInfoToCtx()` derives the routing user from `Proxy-Authorization`, while the original `ServeHTTP()` implementation used `req.BasicAuth()` for the authentication check.\n\nBecause routing and authentication use different credential sources, a request can be routed to a protected backend based on the `Proxy-Authorization` username while the authentication check is not performed against the same credentials. This creates an authentication bypass when `routeByHTTPUser`, `httpUser`, and `httpPassword` are used together.\n\nThis is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use `routeByHTTPUser` and where the target user value is known or can be inferred.\n\nA minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from `Proxy-Authorization` consistently.\n\nFrom local Git history analysis, this logic appears to have been introduced by commit `4af85da0c2c6eb981142a8fdb44f885d26cb9d08`, with the earliest containing release tag appearing to be `v0.43.0`.\n\n### PoC\nI reproduced the issue with the official `frp_0.68.0_linux_amd64.tar.gz` release binaries both locally and on an internet-reachable test server under my control.\n\nMinimal setup:\n- `frps` exposes an HTTP vhost entrypoint.\n- One HTTP proxy is configured with:\n  - `customDomains = [\"example.test\"]`\n  - `routeByHTTPUser = \"alice\"`\n  - `httpUser = \"alice\"`\n  - `httpPassword = \"secret\"`\n- The protected backend returns a constant marker string: `PRIVATE`.\n\nMinimal request flow:\n1. Direct unauthenticated request:\n   - `curl -i --proxy \u0027\u0027 -H \u0027Host: example.test\u0027 http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e/`\n   - Result: `404 Not Found`\n\n2. Direct request with correct backend credentials:\n   - `curl -i --proxy \u0027\u0027 -u alice:secret -H \u0027Host: example.test\u0027 http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e/`\n   - Result: `200 OK`, body contains `PRIVATE`\n\n3. Proxy-style request with incorrect `Proxy-Authorization`:\n   - `curl -i --noproxy \u0027\u0027 -x http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e --proxy-user alice:wrong http://example.test/`\n   - Result: `200 OK`, body contains `PRIVATE`\n\nObserved minimal result summary:\n- `DIRECT_NOAUTH -\u003e 404`\n- `DIRECT_BASICAUTH_GOOD -\u003e 200 PRIVATE`\n- `PROXY_PROXYAUTH_WRONGPASS -\u003e 200 PRIVATE`\n\nThis was reproduced against the official binary, not only against a local source build.\n\n### Impact\nThis is an authentication bypass leading to unauthorized access to a protected backend.\n\nThe practical impact depends on what service is behind the protected route. Examples include private application endpoints, internal administration panels, loopback-only local services, or development and operations interfaces.\n\nImportant boundary: if the protected backend is an `frpc` admin API that is separately protected by its own `webServer.user` / `webServer.password`, this issue only bypasses the outer vhost restriction and does not automatically bypass the inner admin authentication. In that case, the request may still reach the backend but correctly receive `401 Unauthorized` from the inner layer.\n\nThere is also a deployment-specific downstream impact path. If the bypassed backend is an `frpc` admin API without separate inner authentication, and if that `frpc` instance permits store-based proxy management, an attacker may be able to create additional plugin-based proxies through the admin API. In deployments where a `unix_domain_socket` proxy can be used to expose Docker\u0027s Unix socket, this may further expose the Docker API and potentially enable host-level command execution through Docker. This follow-on consequence depends on multiple additional deployment conditions and should be treated as a conditional downstream impact rather than the core vulnerability itself.\n\nBecause exploitation requires a deployment to explicitly use `routeByHTTPUser`, and because the attacker must know or be able to guess the target `routeByHTTPUser` value, the issue is better classified as a configuration-dependent authentication bypass rather than a default-configuration issue.",
  "id": "GHSA-pq96-pwvg-vrr9",
  "modified": "2026-04-24T20:30:23Z",
  "published": "2026-04-14T23:33:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40910"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fatedier/frp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control"
}

GHSA-PQF8-45F6-3RGV

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid={XXXXXXXXXX}&csppage=cgi_PgOverview&csplang=en is visited from a different web browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-30T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid={XXXXXXXXXX}\u0026csppage=cgi_PgOverview\u0026csplang=en is visited from a different web browser.",
  "id": "GHSA-pqf8-45f6-3rgv",
  "modified": "2022-05-24T17:35:15Z",
  "published": "2022-05-24T17:35:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29127"
    },
    {
      "type": "WEB",
      "url": "https://cxsecurity.com/issue/WLB-2020110215"
    },
    {
      "type": "WEB",
      "url": "https://seccops.com/fujitsu-eternus-storage-dx200-s4-broken-authentication"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/members/teams/fujitsu_psirt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160255/Fujitsu-Eternus-Storage-DX200-S4-Broken-Authentication.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PQRM-M74P-4CJ9

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the Cisco IOS XE Software REST API could allow an authenticated, remote attacker to bypass API authorization checks and use the API to perform privileged actions on an affected device. The vulnerability is due to insufficient authorization checks for requests that are sent to the REST API of the affected software. An attacker could exploit this vulnerability by sending a malicious request to an affected device via the REST API. A successful exploit could allow the attacker to selectively bypass authorization checks for the REST API of the affected software and use the API to perform privileged actions on an affected device. Cisco Bug IDs: CSCuz56428.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-28T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Cisco IOS XE Software REST API could allow an authenticated, remote attacker to bypass API authorization checks and use the API to perform privileged actions on an affected device. The vulnerability is due to insufficient authorization checks for requests that are sent to the REST API of the affected software. An attacker could exploit this vulnerability by sending a malicious request to an affected device via the REST API. A successful exploit could allow the attacker to selectively bypass authorization checks for the REST API of the affected software and use the API to perform privileged actions on an affected device. Cisco Bug IDs: CSCuz56428.",
  "id": "GHSA-pqrm-m74p-4cj9",
  "modified": "2022-05-13T01:35:40Z",
  "published": "2022-05-13T01:35:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0195"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-rest"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103557"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQW6-9PGR-FR4X

Vulnerability from github – Published: 2022-05-02 03:31 – Updated: 2022-05-02 03:31
VLAI
Details

Apple Safari before 3.2.2 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-15T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Apple Safari before 3.2.2 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an \"SSL tampering\" attack.",
  "id": "GHSA-pqw6-9pgr-fr4x",
  "modified": "2022-05-02T03:31:16Z",
  "published": "2022-05-02T03:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2058"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51193"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.