Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14581 vulnerabilities reference this CWE, most recent first.

GHSA-W86F-F8MJ-WM7P

Vulnerability from github – Published: 2025-11-07 06:30 – Updated: 2025-11-07 06:30
VLAI
Details

The Page & Post Notes plugin for WordPress is vulnerable to unauthorized modification of notes due to a missing capability check on the 'yydev_notes_save_dashboard_data' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify notes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T06:15:33Z",
    "severity": "MODERATE"
  },
  "details": "The Page \u0026 Post Notes plugin for WordPress is vulnerable to unauthorized modification of notes due to a missing capability check on the \u0027yydev_notes_save_dashboard_data\u0027 function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify notes.",
  "id": "GHSA-w86f-f8mj-wm7p",
  "modified": "2025-11-07T06:30:29Z",
  "published": "2025-11-07T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12527"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/page-post-notes/trunk/include/insert-to-db.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/page-post-notes/trunk/index.php#L85"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3389236%40page-post-notes\u0026new=3389236%40page-post-notes\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93dadc33-cabf-4701-97ca-861ad90597fb?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W878-F8C6-7R63

Vulnerability from github – Published: 2026-03-01 01:30 – Updated: 2026-03-01 01:30
VLAI
Summary
Statamic's missing authorization allows access to email addresses
Details

Impact

User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission.

Patches

This has been fixed in 5.73.11 and 6.4.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.73.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha.1"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-01T01:30:42Z",
    "nvd_published_at": "2026-02-27T23:16:05Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUser email addresses were included in responses from the user fieldtype\u2019s data endpoint for control panel users who did not have the \u201cview users\u201d permission.\n\n### Patches\nThis has been fixed in 5.73.11 and 6.4.0.",
  "id": "GHSA-w878-f8c6-7r63",
  "modified": "2026-03-01T01:30:42Z",
  "published": "2026-03-01T01:30:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/security/advisories/GHSA-w878-f8c6-7r63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28424"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/statamic/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/releases/tag/v5.73.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/releases/tag/v6.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Statamic\u0027s missing authorization allows access to email addresses"
}

GHSA-W89R-RWCF-75W7

Vulnerability from github – Published: 2025-03-27 12:30 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in alexvtn Chatbox Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Chatbox Manager: from n/a through 1.2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T11:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in alexvtn Chatbox Manager allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Chatbox Manager: from n/a through 1.2.2.",
  "id": "GHSA-w89r-rwcf-75w7",
  "modified": "2026-04-01T18:34:06Z",
  "published": "2025-03-27T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30790"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wa-chatbox-manager/vulnerability/wordpress-chatbox-manager-1-2-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8C6-JHX2-568H

Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in aguilatechnologies WP Customer Area allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Customer Area: from n/a through 8.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-20T15:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in aguilatechnologies WP Customer Area allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Customer Area: from n/a through 8.2.5.",
  "id": "GHSA-w8c6-jhx2-568h",
  "modified": "2026-04-28T21:35:42Z",
  "published": "2025-06-20T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49982"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/customer-area/vulnerability/wordpress-wp-customer-area-plugin-8-2-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8GX-4R6W-3RX9

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2023-10-27 20:39
VLAI
Summary
Jenkins rhnpush-plugin does not perform a permission check in a method implementing form validation
Details

Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents.

rhnpush-plugin Plugin 0.5.2 requires Item/Workspace permission to validate patterns with workspace contents.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:rhnpush-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-10T21:20:53Z",
    "nvd_published_at": "2022-07-27T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation.\n\nThis allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents.\n\nrhnpush-plugin Plugin 0.5.2 requires Item/Workspace permission to validate patterns with workspace contents.",
  "id": "GHSA-w8gx-4r6w-3rx9",
  "modified": "2023-10-27T20:39:25Z",
  "published": "2022-07-28T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/rhnpush-plugin/commit/7827db39925d0fc8f5b95e013466987b513b3f3c"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2402"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins rhnpush-plugin does not perform a permission check in a method implementing form validation"
}

GHSA-W8J2-252J-WP53

Vulnerability from github – Published: 2026-07-07 15:32 – Updated: 2026-07-07 15:32
VLAI
Details

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T15:16:49Z",
    "severity": "MODERATE"
  },
  "details": "Ghostfolio\u0027s PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.",
  "id": "GHSA-w8j2-252j-wp53",
  "modified": "2026-07-07T15:32:57Z",
  "published": "2026-07-07T15:32:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59709"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ghostfolio/ghostfolio/issues/7196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ghostfolio/ghostfolio"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/ghostfolio-unauthorized-portfolio-holding-tag-modification-via-missing-permission-check"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W8JJ-CWMC-WGQ2

Vulnerability from github – Published: 2026-04-10 19:49 – Updated: 2026-04-10 19:49
VLAI
Summary
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Details

Summary

The system log endpoints (GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.

Details

The dashboard routes in internal/router/dashboard.go:7-8 register log endpoints on the AuthRouterGroup without any RequireScopes middleware:

// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
    appRouterGroup.AuthRouterGroup.GET("/system/logs", h.DashboardHandler.GetSystemLogs())
    appRouterGroup.AuthRouterGroup.GET("/system/logs/stream", h.DashboardHandler.SSESubscribeSystemLogs())
    appRouterGroup.WSRouterGroup.GET("/system/logs", h.DashboardHandler.WSSubscribeSystemLogs())
}

Compare with other admin-only routes that properly use RequireScopes:

// internal/router/setting.go — every route has RequireScopes
appRouterGroup.AuthRouterGroup.GET("/settings",
    middleware.RequireScopes(authModel.ScopeAdminSettings),
    h.SettingHandler.GetSiteSettings())

The AuthRouterGroup only applies JWTAuthMiddleware() (router.go:36), which validates the JWT and sets the viewer context but does not check admin status. The WSRouterGroup (router.go:37) has no middleware at all — the WebSocket handler only calls ParseToken to verify the JWT signature (dashboard.go:74) without any role/scope validation.

The handler (internal/handler/dashboard/dashboard.go:29-62) and service (internal/service/dashboard/dashboard.go:21-27) contain zero authorization checks. Other services in the codebase properly enforce admin access: - internal/service/inbox/inbox.go:132ensureAdmin() - internal/service/migrator/migrator.go:360ensureAdmin() - internal/service/comment/comment.go:719requireAdmin()

Non-admin users are created with IsAdmin: false and IsOwner: false (internal/service/user/user.go:220-221) via the public registration endpoint.

The LogEntry struct (internal/util/log/log.go:78-87) exposes:

type LogEntry struct {
    Time   string         `json:"time"`
    Level  string         `json:"level"`
    Msg    string         `json:"msg"`
    Module string         `json:"module,omitempty"`
    Caller string         `json:"caller,omitempty"`   // internal file paths
    Error  string         `json:"error,omitempty"`     // error stack traces
    Fields map[string]any `json:"fields,omitempty"`    // arbitrary structured data
    Raw    string         `json:"raw,omitempty"`       // raw log lines
}

PoC

# 1. Register a non-admin user (system allows up to 5 users by default)
curl -X POST http://localhost:8080/api/register \
  -H 'Content-Type: application/json' \
  -d '{"username":"attacker","password":"Password123"}'

# 2. Login to get session token
TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username":"attacker","password":"Password123"}' | jq -r '.data.token')

# 3. Read system logs — should require admin but doesn't
curl http://localhost:8080/api/system/logs \
  -H "Authorization: Bearer $TOKEN"
# Returns: {"code":1,"data":[{"time":"...","level":"error","msg":"...","module":"...","caller":"internal/service/user/user.go:145","error":"...","fields":{...}},...]}

# 4. Subscribe to real-time log stream via SSE
curl -N "http://localhost:8080/api/system/logs/stream?token=$TOKEN"

# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)
# wscat -c "ws://localhost:8080/ws/system/logs?token=$TOKEN"

Impact

Any registered non-admin user can: - Read all historical system logs including error traces that reveal internal code paths, database errors, and application state - Stream real-time logs via SSE or WebSocket to monitor all server activity as it happens - Gather reconnaissance data — caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture - Monitor other users' actions — authentication failures, registration events, and admin operations appear in logs

This information disclosure lowers the bar for chaining further attacks by revealing the application's internal structure, error handling patterns, and operational state.

Recommended Fix

Add RequireScopes middleware with an admin scope to the dashboard routes:

// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
    appRouterGroup.AuthRouterGroup.GET("/system/logs",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.DashboardHandler.GetSystemLogs())
    appRouterGroup.AuthRouterGroup.GET("/system/logs/stream",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.DashboardHandler.SSESubscribeSystemLogs())
    appRouterGroup.WSRouterGroup.GET("/system/logs",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.DashboardHandler.WSSubscribeSystemLogs())
}

Additionally, the WebSocket handler should validate admin scope after parsing the token, since the WSRouterGroup lacks middleware:

// internal/handler/dashboard/dashboard.go — WSSubscribeSystemLogs
claims, err := jwtUtil.ParseToken(token)
if err != nil {
    ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "invalid token"})
    return
}
// Add admin check for WebSocket endpoint
if claims.TokenType == authModel.TokenTypeAccess && !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {
    ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{"msg": "admin access required"})
    return
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lin-snow/ech0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:49:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe system log endpoints (`GET /api/system/logs`, `GET /api/system/logs/stream`, `WS /ws/system/logs`) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.\n\n## Details\n\nThe dashboard routes in `internal/router/dashboard.go:7-8` register log endpoints on the `AuthRouterGroup` without any `RequireScopes` middleware:\n\n```go\n// internal/router/dashboard.go\nfunc setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs\", h.DashboardHandler.GetSystemLogs())\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs/stream\", h.DashboardHandler.SSESubscribeSystemLogs())\n\tappRouterGroup.WSRouterGroup.GET(\"/system/logs\", h.DashboardHandler.WSSubscribeSystemLogs())\n}\n```\n\nCompare with other admin-only routes that properly use `RequireScopes`:\n\n```go\n// internal/router/setting.go \u2014 every route has RequireScopes\nappRouterGroup.AuthRouterGroup.GET(\"/settings\",\n    middleware.RequireScopes(authModel.ScopeAdminSettings),\n    h.SettingHandler.GetSiteSettings())\n```\n\nThe `AuthRouterGroup` only applies `JWTAuthMiddleware()` (router.go:36), which validates the JWT and sets the viewer context but does **not** check admin status. The `WSRouterGroup` (router.go:37) has no middleware at all \u2014 the WebSocket handler only calls `ParseToken` to verify the JWT signature (dashboard.go:74) without any role/scope validation.\n\nThe handler (`internal/handler/dashboard/dashboard.go:29-62`) and service (`internal/service/dashboard/dashboard.go:21-27`) contain zero authorization checks. Other services in the codebase properly enforce admin access:\n- `internal/service/inbox/inbox.go:132` \u2014 `ensureAdmin()`\n- `internal/service/migrator/migrator.go:360` \u2014 `ensureAdmin()`\n- `internal/service/comment/comment.go:719` \u2014 `requireAdmin()`\n\nNon-admin users are created with `IsAdmin: false` and `IsOwner: false` (`internal/service/user/user.go:220-221`) via the public registration endpoint.\n\nThe `LogEntry` struct (`internal/util/log/log.go:78-87`) exposes:\n```go\ntype LogEntry struct {\n    Time   string         `json:\"time\"`\n    Level  string         `json:\"level\"`\n    Msg    string         `json:\"msg\"`\n    Module string         `json:\"module,omitempty\"`\n    Caller string         `json:\"caller,omitempty\"`   // internal file paths\n    Error  string         `json:\"error,omitempty\"`     // error stack traces\n    Fields map[string]any `json:\"fields,omitempty\"`    // arbitrary structured data\n    Raw    string         `json:\"raw,omitempty\"`       // raw log lines\n}\n```\n\n## PoC\n\n```bash\n# 1. Register a non-admin user (system allows up to 5 users by default)\ncurl -X POST http://localhost:8080/api/register \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"attacker\",\"password\":\"Password123\"}\u0027\n\n# 2. Login to get session token\nTOKEN=$(curl -s -X POST http://localhost:8080/api/login \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"attacker\",\"password\":\"Password123\"}\u0027 | jq -r \u0027.data.token\u0027)\n\n# 3. Read system logs \u2014 should require admin but doesn\u0027t\ncurl http://localhost:8080/api/system/logs \\\n  -H \"Authorization: Bearer $TOKEN\"\n# Returns: {\"code\":1,\"data\":[{\"time\":\"...\",\"level\":\"error\",\"msg\":\"...\",\"module\":\"...\",\"caller\":\"internal/service/user/user.go:145\",\"error\":\"...\",\"fields\":{...}},...]}\n\n# 4. Subscribe to real-time log stream via SSE\ncurl -N \"http://localhost:8080/api/system/logs/stream?token=$TOKEN\"\n\n# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)\n# wscat -c \"ws://localhost:8080/ws/system/logs?token=$TOKEN\"\n```\n\n## Impact\n\nAny registered non-admin user can:\n- **Read all historical system logs** including error traces that reveal internal code paths, database errors, and application state\n- **Stream real-time logs** via SSE or WebSocket to monitor all server activity as it happens\n- **Gather reconnaissance data** \u2014 caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture\n- **Monitor other users\u0027 actions** \u2014 authentication failures, registration events, and admin operations appear in logs\n\nThis information disclosure lowers the bar for chaining further attacks by revealing the application\u0027s internal structure, error handling patterns, and operational state.\n\n## Recommended Fix\n\nAdd `RequireScopes` middleware with an admin scope to the dashboard routes:\n\n```go\n// internal/router/dashboard.go\nfunc setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.GetSystemLogs())\n\tappRouterGroup.AuthRouterGroup.GET(\"/system/logs/stream\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.SSESubscribeSystemLogs())\n\tappRouterGroup.WSRouterGroup.GET(\"/system/logs\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.DashboardHandler.WSSubscribeSystemLogs())\n}\n```\n\nAdditionally, the WebSocket handler should validate admin scope after parsing the token, since the `WSRouterGroup` lacks middleware:\n\n```go\n// internal/handler/dashboard/dashboard.go \u2014 WSSubscribeSystemLogs\nclaims, err := jwtUtil.ParseToken(token)\nif err != nil {\n    ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{\"msg\": \"invalid token\"})\n    return\n}\n// Add admin check for WebSocket endpoint\nif claims.TokenType == authModel.TokenTypeAccess \u0026\u0026 !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {\n    ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{\"msg\": \"admin access required\"})\n    return\n}\n```",
  "id": "GHSA-w8jj-cwmc-wgq2",
  "modified": "2026-04-10T19:49:33Z",
  "published": "2026-04-10T19:49:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-w8jj-cwmc-wgq2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lin-snow/Ech0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/releases/tag/v4.4.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ech0\u0027s Missing Authorization on System Logs Allows Non-Admin Information Disclosure"
}

GHSA-W8M8-8QC2-4GPR

Vulnerability from github – Published: 2024-10-23 09:33 – Updated: 2024-10-23 09:33
VLAI
Details

Missing Authorization vulnerability in dFactory Responsive Lightbox allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Responsive Lightbox: from n/a through 2.4.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-23T08:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in dFactory Responsive Lightbox allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Responsive Lightbox: from n/a through 2.4.7.",
  "id": "GHSA-w8m8-8qc2-4gpr",
  "modified": "2024-10-23T09:33:12Z",
  "published": "2024-10-23T09:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43924"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/responsive-lightbox/wordpress-responsive-lightbox-gallery-plugin-2-4-7-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8MQ-5926-CX56

Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31
VLAI
Details

Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T15:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.",
  "id": "GHSA-w8mq-5926-cx56",
  "modified": "2024-11-01T15:31:57Z",
  "published": "2024-11-01T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37119"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/uncanny-automator-pro/wordpress-uncanny-automator-pro-plugin-5-3-unauthenticated-license-settings-reset-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8Q9-2FWM-J44J

Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in BitPay BitPay Checkout for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BitPay Checkout for WooCommerce: from n/a through 4.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-13T15:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in BitPay BitPay Checkout for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BitPay Checkout for WooCommerce: from n/a through 4.1.0.",
  "id": "GHSA-w8q9-2fwm-j44j",
  "modified": "2026-04-28T21:35:26Z",
  "published": "2024-12-13T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41803"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/bitpay-checkout-for-woocommerce/vulnerability/wordpress-bitpay-checkout-for-woocommerce-plugin-4-1-0-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.