Common Weakness Enumeration

CWE-470

Allowed

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Abstraction: Base · Status: Draft

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

115 vulnerabilities reference this CWE, most recent first.

GHSA-2FPH-6V5W-89HH

Vulnerability from github – Published: 2026-03-24 16:50 – Updated: 2026-03-25 20:59
VLAI
Summary
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
Details

Summary

A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.

The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.

Impact

  • Attack Type: Remote Code Execution (RCE)
  • Authentication Required: Authenticated user with control panel access (accessCp permission)

Vulnerability Details

Root Cause

In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():

// ElementIndexesController.php:485-494
if ($conditionConfig) {
    $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed
    $condition = $conditionsService->createCondition($conditionConfig);
} else {
    $condition = $this->elementType()::createCondition();
}

if (!empty($fieldLayouts)) {
    // fieldLayouts is NOT cleansed!
    $condition->setFieldLayouts(array_map(
        fn(array $config) => FieldLayout::createFromConfig($config),
        $fieldLayouts
    ));
}

Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.

Attack Chain

  1. Send a fieldLayouts array containing config with "as <name>" prefixed keys
  2. FieldLayout::createFromConfig($config) -> new self($config) -> Model::__construct($config)
  3. App::configure($this, $config) processes each key
  4. "as rce" key -> Component::__set("as rce", $value) -> Yii::createObject($value) -> instantiates AttributeTypecastBehavior and attaches it to the FieldLayout
  5. "on *" key -> registers a wildcard event handler
  6. parent::__construct() -> init() -> setTabs([]) -> getAvailableNativeFields() -> trigger(EVENT_DEFINE_NATIVE_FIELDS)
  7. The wildcard handler fires -> AttributeTypecastBehavior::beforeSave() -> typecastAttributes()
  8. $this->owner->typecastBeforeSave -> resolved via Component::__get() -> returns the command string from the behavior's own property
  9. call_user_func([ConsoleProcessus::class, 'execute'], $command) -> shell_exec($command)

Prerequisites

  • A user account with control panel access
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.9.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.6.0"
            },
            {
              "fixed": "5.9.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T16:50:42Z",
    "nvd_published_at": "2026-03-24T18:16:09Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.\n\nThe existing patches add `cleanseConfig()` to `assembleLayoutFromPost()` and various `FieldsController` actions to strip Yii2 behavior/event injection keys (`as ` and `on ` prefixed keys). However, the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` is passed directly to `FieldLayout::createFromConfig()` without any sanitization, enabling the same behavior injection attack chain.\n\n## Impact\n\n- **Attack Type**: Remote Code Execution (RCE)\n- **Authentication Required**: Authenticated user with control panel access (`accessCp` permission)\n\n## Vulnerability Details\n\n### Root Cause\n\nIn `ElementIndexesController::actionFilterHud()` (line 493-494), the `fieldLayouts` body parameter is passed to `FieldLayout::createFromConfig()` without `cleanseConfig()`:\n\n```php\n// ElementIndexesController.php:485-494\nif ($conditionConfig) {\n    $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed\n    $condition = $conditionsService-\u003ecreateCondition($conditionConfig);\n} else {\n    $condition = $this-\u003eelementType()::createCondition();\n}\n\nif (!empty($fieldLayouts)) {\n    // fieldLayouts is NOT cleansed!\n    $condition-\u003esetFieldLayouts(array_map(\n        fn(array $config) =\u003e FieldLayout::createFromConfig($config),\n        $fieldLayouts\n    ));\n}\n```\n\nNote the inconsistency: `conditionConfig` is sanitized with `cleanseConfig()`, but `fieldLayouts` is not.\n\n### Attack Chain\n\n1. Send a `fieldLayouts` array containing config with `\"as \u003cname\u003e\"` prefixed keys\n2. `FieldLayout::createFromConfig($config)` -\u003e `new self($config)` -\u003e `Model::__construct($config)`\n3. `App::configure($this, $config)` processes each key\n4. `\"as rce\"` key -\u003e `Component::__set(\"as rce\", $value)` -\u003e `Yii::createObject($value)` -\u003e instantiates `AttributeTypecastBehavior` and attaches it to the FieldLayout\n5. `\"on *\"` key -\u003e registers a wildcard event handler\n6. `parent::__construct()` -\u003e `init()` -\u003e `setTabs([])` -\u003e `getAvailableNativeFields()` -\u003e `trigger(EVENT_DEFINE_NATIVE_FIELDS)`\n7. The wildcard handler fires -\u003e `AttributeTypecastBehavior::beforeSave()` -\u003e `typecastAttributes()`\n8. `$this-\u003eowner-\u003etypecastBeforeSave` -\u003e resolved via `Component::__get()` -\u003e returns the command string from the behavior\u0027s own property\n9. `call_user_func([ConsoleProcessus::class, \u0027execute\u0027], $command)` -\u003e `shell_exec($command)`\n\n### Prerequisites\n\n- A user account with control panel access",
  "id": "GHSA-2fph-6v5w-89hh",
  "modified": "2026-03-25T20:59:38Z",
  "published": "2026-03-24T16:50:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.9.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior"
}

GHSA-2M69-F932-GV3G

Vulnerability from github – Published: 2025-03-31 18:31 – Updated: 2025-11-05 00:31
VLAI
Details

An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition.

This issue affects Xperience: through 13.0.180.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T17:15:41Z",
    "severity": "HIGH"
  },
  "details": "An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition.\n\n\n\n\nThis issue affects Xperience: through 13.0.180.",
  "id": "GHSA-2m69-f932-gv3g",
  "modified": "2025-11-05T00:31:17Z",
  "published": "2025-03-31T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2794"
    },
    {
      "type": "WEB",
      "url": "https://devnet.kentico.com/download/hotfixes"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/kentico-xperience-unsafe-reflection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2W2H-GWWJ-FH3Q

Vulnerability from github – Published: 2026-06-24 15:31 – Updated: 2026-06-24 15:31
VLAI
Details

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T14:17:34Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.",
  "id": "GHSA-2w2h-gwwj-fh3q",
  "modified": "2026-06-24T15:31:47Z",
  "published": "2026-06-24T15:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57284"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-382J-8MXH-C7X2

Vulnerability from github – Published: 2026-06-25 18:35 – Updated: 2026-06-25 18:35
VLAI
Summary
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Details

Summary

MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes.

A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process.

Impact

Applications are affected when they deserialize untrusted payloads into types containing DateTime values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.

MessagePackSecurity.UntrustedData and MaximumObjectGraphDepth do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.

An attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.

Affected components

  • Package: MessagePack
  • API: MessagePackReader.ReadDateTime
  • Data types: DateTime and formatter paths that call ReadDateTime
  • Finding IDs: MESSAGEPACKCSHARP-020, related stack allocation finding MESSAGEPACKCSHARP-CROW-MEM-001

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

  1. Upgrade MessagePack to the patched version for your release line.
  2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

The fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.

Workarounds

Patching is recommended.

Until a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain DateTime or DateTimeOffset values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.

There is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.

Resources

  • MESSAGEPACKCSHARP-020: ReadDateTime stack allocation from attacker-controlled extension length
  • MESSAGEPACKCSHARP-CROW-MEM-001: related attacker-controlled stack allocation finding in MessagePackReader
  • CWE-770: Allocation of Resources Without Limits or Throttling

CVE split rationale

This vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "MessagePack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-125",
      "CWE-190",
      "CWE-407",
      "CWE-409",
      "CWE-470",
      "CWE-502",
      "CWE-674",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:35:48Z",
    "nvd_published_at": "2026-06-22T22:16:47Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`MessagePackReader.ReadDateTime()` can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed `tokenSize` includes the extension body length from the wire and is used in a `stackalloc` operation before the extension length is validated as one of the valid timestamp sizes.\n\nA very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable `StackOverflowException`, terminating the host process.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into types containing `DateTime` values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.\n\n`MessagePackSecurity.UntrustedData` and `MaximumObjectGraphDepth` do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.\n\nAn attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `MessagePackReader.ReadDateTime`\n- Data types: `DateTime` and formatter paths that call `ReadDateTime`\n- Finding IDs: `MESSAGEPACKCSHARP-020`, related stack allocation finding `MESSAGEPACKCSHARP-CROW-MEM-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain `DateTime` or `DateTimeOffset` values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.\n\nThere is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-020`: `ReadDateTime` stack allocation from attacker-controlled extension length\n- `MESSAGEPACKCSHARP-CROW-MEM-001`: related attacker-controlled stack allocation finding in `MessagePackReader`\n- CWE-770: Allocation of Resources Without Limits or Throttling\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.",
  "id": "GHSA-382j-8mxh-c7x2",
  "modified": "2026-06-25T18:35:48Z",
  "published": "2026-06-25T18:35:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48502"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows"
}

GHSA-3F48-PQW5-HG2J

Vulnerability from github – Published: 2022-04-29 03:01 – Updated: 2025-04-03 04:05
VLAI
Details

ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-2331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-12-31T05:00:00Z",
    "severity": "LOW"
  },
  "details": "ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.",
  "id": "GHSA-3f48-pqw5-hg2j",
  "modified": "2025-04-03T04:05:12Z",
  "published": "2022-04-29T03:01:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-2331"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/14984"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/10743"
    },
    {
      "type": "WEB",
      "url": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-01.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/9521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PV3-JJ4H-P528

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-06-01 19:42
VLAI
Summary
Sandbox bypass vulnerability in Jenkins Script Security Plugin
Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:script-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.56"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1003040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-01T19:42:19Z",
    "nvd_published_at": "2019-03-28T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.",
  "id": "GHSA-3pv3-jj4h-p528",
  "modified": "2022-06-01T19:42:19Z",
  "published": "2022-05-13T01:15:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/script-security-plugin/commit/8424ad90547e37a2bd3b6a3a7da48eb1af9cd0ee"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1423"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/script-security-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/03/28/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107628"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sandbox bypass vulnerability in Jenkins Script Security Plugin"
}

GHSA-4446-656P-F54G

Vulnerability from github – Published: 2018-10-17 16:23 – Updated: 2025-05-12 21:40
VLAI
Summary
Deserialization of Untrusted Data in Bouncy castle
Details

Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.

This vulnerability appears to have been fixed in 1.60 and later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.bouncycastle:bcprov-jdk15on"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.57"
            },
            {
              "fixed": "1.60"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:10Z",
    "nvd_published_at": "2018-07-09T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. \n\nThis vulnerability appears to have been fixed in 1.60 and later.",
  "id": "GHSA-4446-656p-f54g",
  "modified": "2025-05-12T21:40:33Z",
  "published": "2018-10-17T16:23:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000613"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4446-656p-f54g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bcgit/bc-java"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190204-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deserialization of Untrusted Data in Bouncy castle"
}

GHSA-4484-8V2F-5748

Vulnerability from github – Published: 2026-03-16 18:13 – Updated: 2026-03-16 21:57
VLAI
Summary
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Details

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController.

You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.

An attacker can use the same gadget chain from the original advisory to achieve RCE.

Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.9.10"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:13:15Z",
    "nvd_published_at": "2026-03-16T20:16:19Z",
    "severity": "HIGH"
  },
  "details": "The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`.\n\nYou need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.\n\nAn attacker can use the same gadget chain from the original advisory to achieve RCE.\n\nUsers should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.",
  "id": "GHSA-4484-8v2f-5748",
  "modified": "2026-03-16T21:57:50Z",
  "published": "2026-03-16T18:13:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController"
}

GHSA-4CQ3-3QXV-X93W

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-13T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.",
  "id": "GHSA-4cq3-3qxv-x93w",
  "modified": "2022-05-13T01:52:50Z",
  "published": "2022-05-13T01:52:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5511"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K30500703"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46600"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152213/VMware-Host-VMX-Process-Impersonation-Hijack-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JJR-VMV7-WH4W

Vulnerability from github – Published: 2026-04-16 21:25 – Updated: 2026-04-24 20:52
VLAI
Summary
Statamic: Unsafe method invocation via query value resolution allows data destruction
Details

Impact

Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.

The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc.

The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.

Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority.

Patches

This has been fixed in 5.73.20 and 6.13.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.73.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha.1"
            },
            {
              "fixed": "6.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:25:35Z",
    "nvd_published_at": "2026-04-22T22:16:31Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.",
  "id": "GHSA-4jjr-vmv7-wh4w",
  "modified": "2026-04-24T20:52:04Z",
  "published": "2026-04-16T21:25:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41175"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/statamic/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Statamic: Unsafe method invocation via query value resolution allows data destruction"
}

Mitigation
Architecture and Design

Refactor your code to avoid using reflection.

Mitigation
Architecture and Design

Do not use user-controlled inputs to select and load classes or code.

Mitigation
Implementation

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

CAPEC-138: Reflection Injection

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.