CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5970 vulnerabilities reference this CWE, most recent first.
GHSA-QM83-JG9G-2862
Vulnerability from github – Published: 2023-12-20 21:30 – Updated: 2023-12-20 21:30A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /file-manager/delete.php of the component Deletion Interface. The manipulation of the argument file leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-248269 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-6907"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-18T04:15:51Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /file-manager/delete.php of the component Deletion Interface. The manipulation of the argument file leads to improper authentication. The exploit has been disclosed to the public and may be used. The identifier VDB-248269 was assigned to this vulnerability.",
"id": "GHSA-qm83-jg9g-2862",
"modified": "2023-12-20T21:30:32Z",
"published": "2023-12-20T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6907"
},
{
"type": "WEB",
"url": "https://github.com/g1an123/POC/blob/main/Unauthorized%20file%20deletion.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.248269"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.248269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM93-WPRH-QR6P
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:19Debug policy with invalid signature can be loaded when the debug policy functionality is disabled by using the parallel image loading in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS404, QCS605, SD 410/12, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130
{
"affected": [],
"aliases": [
"CVE-2018-13927"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-22T14:15:00Z",
"severity": "HIGH"
},
"details": "Debug policy with invalid signature can be loaded when the debug policy functionality is disabled by using the parallel image loading in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS404, QCS605, SD 410/12, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130",
"id": "GHSA-qm93-wprh-qr6p",
"modified": "2024-04-04T01:19:41Z",
"published": "2022-05-24T16:50:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13927"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM9J-69FP-V8P4
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not examine Certificate Revocation Lists (CRLs), which allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leveraging a revoked X.509 certificate for a domain account, aka "LDAPS Authentication Bypass Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2011-2014"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-11-08T21:55:00Z",
"severity": "HIGH"
},
"details": "The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not examine Certificate Revocation Lists (CRLs), which allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leveraging a revoked X.509 certificate for a domain account, aka \"LDAPS Authentication Bypass Vulnerability.\"",
"id": "GHSA-qm9j-69fp-v8p4",
"modified": "2022-05-13T01:15:35Z",
"published": "2022-05-13T01:15:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2014"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-086"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13278"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026294"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QMP2-8M8M-8V95
Vulnerability from github – Published: 2022-05-01 18:30 – Updated: 2025-04-09 03:46report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112.
{
"affected": [],
"aliases": [
"CVE-2007-5113"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-09-26T23:17:00Z",
"severity": "MODERATE"
},
"details": "report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112.",
"id": "GHSA-qmp2-8m8m-8v95",
"modified": "2025-04-09T03:46:38Z",
"published": "2022-05-01T18:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5113"
},
{
"type": "WEB",
"url": "http://ha.ckers.org/blog/20070823/xss-and-possible-information-disclosure-in-urchin"
},
{
"type": "WEB",
"url": "http://securityvulns.ru/Sdocument90.html"
},
{
"type": "WEB",
"url": "http://websecurity.com.ua/1283"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/482006/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26037"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QP56-X698-CR67
Vulnerability from github – Published: 2022-05-17 05:36 – Updated: 2022-05-17 05:36The ComputePassword function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) generates the password for the fwupgrade account by performing a calculation on the MAC address, which makes it easier for remote attackers to obtain access via a (1) ARP request message or (2) Neighbor Solicitation message.
{
"affected": [],
"aliases": [
"CVE-2011-4860"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-12-17T11:55:00Z",
"severity": "HIGH"
},
"details": "The ComputePassword function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) generates the password for the fwupgrade account by performing a calculation on the MAC address, which makes it easier for remote attackers to obtain access via a (1) ARP request message or (2) Neighbor Solicitation message.",
"id": "GHSA-qp56-x698-cr67",
"modified": "2022-05-17T05:36:16Z",
"published": "2022-05-17T05:36:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4860"
},
{
"type": "WEB",
"url": "http://reversemode.com/index.php?option=com_content\u0026task=view\u0026id=80\u0026Itemid=1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QP67-V7W7-R9VJ
Vulnerability from github – Published: 2022-05-14 03:12 – Updated: 2022-05-14 03:12There is an authentication bypass vulnerability in some Huawei servers. A remote attacker with low privilege may bypass the authentication by some special operations. Due to insufficient authentication, an attacker may exploit the vulnerability to get some sensitive information and high-level users' privilege.
{
"affected": [],
"aliases": [
"CVE-2018-7943"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-05T15:29:00Z",
"severity": "HIGH"
},
"details": "There is an authentication bypass vulnerability in some Huawei servers. A remote attacker with low privilege may bypass the authentication by some special operations. Due to insufficient authentication, an attacker may exploit the vulnerability to get some sensitive information and high-level users\u0027 privilege.",
"id": "GHSA-qp67-v7w7-r9vj",
"modified": "2022-05-14T03:12:35Z",
"published": "2022-05-14T03:12:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7943"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180530-01-server-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP9R-PFQF-HXF3
Vulnerability from github – Published: 2022-11-01 12:00 – Updated: 2022-11-02 12:00Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.
{
"affected": [],
"aliases": [
"CVE-2022-39018"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-31T21:15:00Z",
"severity": "HIGH"
},
"details": "Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.",
"id": "GHSA-qp9r-pfqf-hxf3",
"modified": "2022-11-02T12:00:44Z",
"published": "2022-11-01T12:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39018"
},
{
"type": "WEB",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPFH-2WPM-C362
Vulnerability from github – Published: 2025-04-10 18:32 – Updated: 2025-04-10 18:32Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager.
In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1
Mitigation Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.
No other mitigation steps are necessary.
{
"affected": [],
"aliases": [
"CVE-2025-22232"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T18:15:46Z",
"severity": "MODERATE"
},
"details": "Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN\u00a0header when making requests to Vault.\nYour application may be affected by this if the following are true:\n * You have Spring Vault on the classpath of your Spring Cloud Config Server and\n * You are using the X-CONFIG-TOKEN\u00a0header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and\n * You are using the default Spring Vault SessionManager\u00a0implementation LifecycleAwareSessionManager\u00a0or a SessionManager\u00a0implementation that persists the Vault token such as SimpleSessionManager.\n\nIn this case the SessionManager\u00a0persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN\u00a0header with a different value.\nAffected Spring Products and Versions\nSpring Cloud Config:\n * 2.2.1.RELEASE - 4.2.1\n\n\nMitigation\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS\nNOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.\n\nNo other mitigation steps are necessary.",
"id": "GHSA-qpfh-2wpm-c362",
"modified": "2025-04-10T18:32:03Z",
"published": "2025-04-10T18:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22232"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-22232"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPG4-4W7W-2MQ5
Vulnerability from github – Published: 2020-04-29 17:41 – Updated: 2023-05-16 15:51On 20 April 2020 it was reported to me that the potential for authentication bypass exists in Faye's extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.
The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye extension docs suggest that users implement access control for subscriptions by checking incoming messages for the /meta/subscribe channel, for example:
server.addExtension({
incoming: function(message, callback) {
if (message.channel === '/meta/subscribe') {
if (message.ext.authToken !== 'my super secret password') {
message.error = 'Invalid auth token';
}
}
callback(message);
}
});
A bug in the server's code for recognising the special /meta/* channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to /meta/subscribe/x rather than /meta/subscribe:
{
"channel": "/meta/subscribe/x",
"clientId": "3jrc6602npj4gyp6bn5ap2wqzjtb2q3",
"subscription": "/foo"
}
This message will not be checked by the above extension, as it checks the message's channel is exactly equal to /meta/subscribe. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel /foo without supplying the necessary credentials.
The vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that's a prefix-match for one of the special channels /meta/handshake, /meta/connect, /meta/subscribe, /meta/unsubscribe or /meta/disconnect, as though it were an exact match for that channel. So, a message to /meta/subscribe/x is still processed as a subscription request, for example.
An authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation.
This parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version.
If you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel begins with the expected channel name, for example:
server.addExtension({
incoming: function(message, callback) {
if (message.channel.startsWith('/meta/subscribe')) {
// authentication logic
}
callback(message);
}
});
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "faye"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "faye"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "faye"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11020"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-29T17:40:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "On 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]\u0027s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example:\n\n```js\nserver.addExtension({\n incoming: function(message, callback) {\n if (message.channel === \u0027/meta/subscribe\u0027) {\n if (message.ext.authToken !== \u0027my super secret password\u0027) {\n message.error = \u0027Invalid auth token\u0027;\n }\n }\n callback(message);\n }\n});\n```\n\nA bug in the server\u0027s code for recognising the special `/meta/*` channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n \"channel\": \"/meta/subscribe/x\",\n \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the message\u0027s channel is exactly equal to `/meta/subscribe`. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that\u0027s a prefix-match for one of the special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for that channel. So, a message to `/meta/subscribe/x` is still processed as a subscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel _begins_ with the expected channel name, for example:\n\n```js\nserver.addExtension({\n incoming: function(message, callback) {\n if (message.channel.startsWith(\u0027/meta/subscribe\u0027)) {\n // authentication logic\n }\n callback(message);\n }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html",
"id": "GHSA-qpg4-4w7w-2mq5",
"modified": "2023-05-16T15:51:44Z",
"published": "2020-04-29T17:41:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11020"
},
{
"type": "WEB",
"url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
},
{
"type": "PACKAGE",
"url": "https://github.com/faye/faye"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authentication and extension bypass in Faye"
}
GHSA-QPGW-76Q4-XPFV
Vulnerability from github – Published: 2022-05-01 18:40 – Updated: 2022-05-01 18:40cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php.
{
"affected": [],
"aliases": [
"CVE-2007-6237"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-12-04T18:46:00Z",
"severity": "HIGH"
},
"details": "cp.php in DeluxeBB 1.09 does not verify that the membercookie parameter corresponds to the authenticated member during a profile update, which allows remote authenticated users to change the e-mail addresses of arbitrary accounts via a modified membercookie parameter, a different vector than CVE-2006-4078. NOTE: this can be leveraged for administrative access by requesting password-reset e-mail through a lostpw action to misc.php.",
"id": "GHSA-qpgw-76q4-xpfv",
"modified": "2022-05-01T18:40:52Z",
"published": "2022-05-01T18:40:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6237"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27794"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/3416"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/484205/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26572"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.