CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
GHSA-WPMP-JHX9-XGQ5
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to utilize parts of the web UI for which they are not authorized.The vulnerability is due to insufficient authorization of web UI access requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web UI. A successful exploit could allow the attacker to utilize parts of the web UI for which they are not authorized. This could allow a Read-Only user to perform actions of an Admin user.
{
"affected": [],
"aliases": [
"CVE-2020-3400"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-24T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to utilize parts of the web UI for which they are not authorized.The vulnerability is due to insufficient authorization of web UI access requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web UI. A successful exploit could allow the attacker to utilize parts of the web UI for which they are not authorized. This could allow a Read-Only user to perform actions of an Admin user.",
"id": "GHSA-wpmp-jhx9-xgq5",
"modified": "2022-05-24T17:29:26Z",
"published": "2022-05-24T17:29:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3400"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-auth-bypass-6j2BYUc7"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WPP8-X44C-V39Q
Vulnerability from github – Published: 2022-05-02 03:48 – Updated: 2022-05-02 03:48The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2009-3781"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-10-26T17:30:00Z",
"severity": "HIGH"
},
"details": "The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.",
"id": "GHSA-wpp8-x44c-v39q",
"modified": "2022-05-02T03:48:23Z",
"published": "2022-05-02T03:48:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3781"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53897"
},
{
"type": "WEB",
"url": "http://drupal.org/files/issues/filefield-node-access-fix-516104-3.patch"
},
{
"type": "WEB",
"url": "http://drupal.org/node/516104"
},
{
"type": "WEB",
"url": "http://drupal.org/node/609874"
},
{
"type": "WEB",
"url": "http://drupal.org/node/611128"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/37130"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/36792"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WPPC-7CQ7-CGFV
Vulnerability from github – Published: 2026-02-26 19:45 – Updated: 2026-02-27 21:59Impact
Users were able to obtain add-on configuration via API.
Patches
- https://github.com/WeblateOrg/weblate/pull/18107
- https://github.com/WeblateOrg/weblate/pull/18164
References
Weblate thanks @lighthousekeeper1212 for responsible disclosure.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weblate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.16.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27457"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-26T19:45:06Z",
"nvd_published_at": "2026-02-26T22:20:48Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsers were able to obtain add-on configuration via API.\n\n### Patches\n\n* https://github.com/WeblateOrg/weblate/pull/18107\n* https://github.com/WeblateOrg/weblate/pull/18164\n\n\n### References\n\nWeblate thanks @lighthousekeeper1212 for responsible disclosure.",
"id": "GHSA-wppc-7cq7-cgfv",
"modified": "2026-02-27T21:59:14Z",
"published": "2026-02-26T19:45:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27457"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/18107"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/18164"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/weblate"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate: Missing access control for the AddonViewSet API exposes all addon configurations"
}
GHSA-WPQ2-4QXQ-9VXC
Vulnerability from github – Published: 2024-08-08 06:30 – Updated: 2024-08-08 06:30The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.
{
"affected": [],
"aliases": [
"CVE-2024-6824"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-08T06:15:41Z",
"severity": "MODERATE"
},
"details": "The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the \u0027check_temp_validity\u0027 and \u0027update_template_title\u0027 functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.",
"id": "GHSA-wpq2-4qxq-9vxc",
"modified": "2024-08-08T06:30:54Z",
"published": "2024-08-08T06:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6824"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/includes/addons-integration.php#L159"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/includes/addons-integration.php#L184"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3131564"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2840b9e-1baf-460c-ba11-43e4279ece27?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPQ5-Q23X-F88M
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to local limited information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599864
{
"affected": [],
"aliases": [
"CVE-2019-9351"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "LOW"
},
"details": "In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to local limited information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599864",
"id": "GHSA-wpq5-q23x-f88m",
"modified": "2024-04-04T02:05:52Z",
"published": "2022-05-24T16:57:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9351"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPR5-RC2J-99P2
Vulnerability from github – Published: 2025-10-29 15:31 – Updated: 2025-11-05 20:54Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:publish-to-bitbucket"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64150"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T22:11:30Z",
"nvd_published_at": "2025-10-29T14:15:59Z",
"severity": "MODERATE"
},
"details": "Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-wpr5-rc2j-99p2",
"modified": "2025-11-05T20:54:44Z",
"published": "2025-10-29T15:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64150"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/publish-to-bitbucket-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3576"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Publish to Bitbucket Plugin is missing a permissions check"
}
GHSA-WPR8-MXGP-V29J
Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-05-09 09:33The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
{
"affected": [],
"aliases": [
"CVE-2025-3949"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-09T09:15:19Z",
"severity": "MODERATE"
},
"details": "The Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027seedprod_lite_get_revisisons\u0027 function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.",
"id": "GHSA-wpr8-mxgp-v29j",
"modified": "2025-05-09T09:33:21Z",
"published": "2025-05-09T09:33:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3949"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/coming-soon/tags/6.18.15/app/lpage.php#L820"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3288645/coming-soon/trunk/app/lpage.php"
},
{
"type": "WEB",
"url": "https://www.seedprod.com/docs/changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669b0f30-8958-420c-93c5-0103b71967dd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPRJ-9CVC-5W37
Vulnerability from github – Published: 2026-03-29 15:40 – Updated: 2026-03-29 15:40Summary
Multiple payment plugin list.json.php endpoints lack authentication and authorization checks, allowing unauthenticated attackers to retrieve all payment transaction records including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads with transaction details, and Bitcoin payment records. This is the same class of vulnerability fixed in the Scheduler plugin (GHSA-j724-5c6c-68g5 / commit 83390ab1f) but the fix was not applied to the remaining 21 affected endpoints.
Details
The AVideo ObjectYPT admin CRUD pattern generates four endpoints per database table: add.json.php, delete.json.php, list.json.php, and an index.php page. In the payment plugins, add.json.php and delete.json.php correctly check User::isAdmin() before proceeding, but the list.json.php endpoints have no authorization check whatsoever.
PayPalYPT_log list endpoint (plugin/PayPalYPT/View/PayPalYPT_log/list.json.php:1-10):
<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/PayPalYPT/Objects/PayPalYPT_log.php';
header('Content-Type: application/json');
$rows = PayPalYPT_log::getAll();
$total = PayPalYPT_log::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}
No User::isAdmin() check. The getAll() method (inherited from ObjectYPT) executes SELECT * FROM PayPalYPT_log returning all records.
Contrast with the sibling add endpoint (plugin/PayPalYPT/View/PayPalYPT_log/add.json.php:13-16):
if (!User::isAdmin()) {
$obj->msg = "You can't do this";
die(json_encode($obj));
}
The configuration.php bootstrap file performs no global authentication gating — it initializes the application framework but does not enforce auth. No .htaccess rules restrict access to plugin View directories.
Data model (plugin/PayPalYPT/Objects/PayPalYPT_log.php): Each record contains agreement_id, users_id, json (full PayPal API response), recurring_payment_id, value (payment amount), and token (PayPal Express Checkout token).
The identical pattern exists in:
- plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php — full Authorize.Net webhook payloads
- plugin/BTCPayments/View/Btc_payments/list.json.php — Bitcoin transaction identifiers and amounts
This was the exact same vulnerability class patched in commit 83390ab1f for the Scheduler plugin (GHSA-j724-5c6c-68g5), but the fix was only applied to the 3 Scheduler endpoints. A total of 21 list.json.php endpoints across the codebase remain unprotected.
PoC
Step 1 — Dump PayPal transaction logs (unauthenticated):
curl -s 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php'
Returns all PayPal transaction records including agreement IDs, tokens, payment amounts, user IDs, and full PayPal API JSON responses.
Step 2 — Dump Authorize.Net webhook logs (unauthenticated):
curl -s 'https://target.com/plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php'
Returns all Authorize.Net webhook payloads including transaction IDs, event types, and payment details.
Step 3 — Dump Bitcoin payment records (unauthenticated):
curl -s 'https://target.com/plugin/BTCPayments/View/Btc_payments/list.json.php'
Returns all Bitcoin transaction identifiers, BTC amounts, and store identifiers.
Step 4 — Confirm sibling endpoints ARE protected:
curl -s -X POST 'https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/add.json.php'
# Returns: {"error":true,"msg":"You can't do this"}
Impact
- Financial data exposure: Unauthenticated attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers.
- Token leakage: PayPal Express Checkout tokens and billing agreement IDs are exposed, potentially enabling payment manipulation or account correlation.
- PII leakage: Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names.
- Broad scope: 21 total
list.json.phpendpoints lack auth, also exposing live streaming server infrastructure (Live_servers), user connection data, meeting participation logs, and AI transcription responses. - Zero interaction required: No authentication, no user interaction — a single GET request dumps the entire table.
Recommended Fix
Add User::isAdmin() checks to all unprotected list.json.php endpoints, matching the pattern used in the Scheduler fix (commit 83390ab1f). For each affected file, add immediately after the require_once and header() lines:
if (!User::isAdmin()) {
$obj = new stdClass();
$obj->error = true;
$obj->msg = "You can't do this";
die(json_encode($obj));
}
The full list of files requiring this fix:
plugin/PayPalYPT/View/PayPalYPT_log/list.json.phpplugin/AuthorizeNet/View/Anet_webhook_log/list.json.phpplugin/BTCPayments/View/Btc_payments/list.json.phpplugin/AI/View/Ai_responses/list.json.phpplugin/AI/View/Ai_metatags_responses/list.json.phpplugin/AI/View/Ai_transcribe_responses/list.json.phpplugin/Live/view/Live_servers/list.json.phpplugin/Live/view/Live_schedule/list.json.phpplugin/Live/view/Live_restreams_logs/list.json.phpplugin/SocialMediaPublisher/View/Publisher_schedule/list.json.phpplugin/SocialMediaPublisher/View/Publisher_social_medias/list.json.phpplugin/Meet/View/Meet_join_log/list.json.phpplugin/Meet/View/Meet_schedule_has_users_groups/list.json.phpplugin/PlayLists/View/Playlists_schedules/list.json.phpplugin/UserConnections/View/Users_connections/list.json.phpplugin/UserNotifications/View/User_notifications/list.json.phpplugin/VideosStatistics/View/Statistics/list.json.phpplugin/VideoTags/View/Tags_subscriptions/list.json.phpplugin/CustomizeUser/View/Categories_has_users_groups/list.json.phpplugin/CustomizeUser/View/Users_extra_info/list.json.phpplugin/ImageGallery/list.json.php
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:40:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nMultiple payment plugin `list.json.php` endpoints lack authentication and authorization checks, allowing unauthenticated attackers to retrieve all payment transaction records including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads with transaction details, and Bitcoin payment records. This is the same class of vulnerability fixed in the Scheduler plugin (GHSA-j724-5c6c-68g5 / commit 83390ab1f) but the fix was not applied to the remaining 21 affected endpoints.\n\n## Details\n\nThe AVideo ObjectYPT admin CRUD pattern generates four endpoints per database table: `add.json.php`, `delete.json.php`, `list.json.php`, and an `index.php` page. In the payment plugins, `add.json.php` and `delete.json.php` correctly check `User::isAdmin()` before proceeding, but the `list.json.php` endpoints have no authorization check whatsoever.\n\n**PayPalYPT_log list endpoint** (`plugin/PayPalYPT/View/PayPalYPT_log/list.json.php:1-10`):\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/PayPalYPT/Objects/PayPalYPT_log.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = PayPalYPT_log::getAll();\n$total = PayPalYPT_log::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\nNo `User::isAdmin()` check. The `getAll()` method (inherited from `ObjectYPT`) executes `SELECT * FROM PayPalYPT_log` returning all records.\n\n**Contrast with the sibling add endpoint** (`plugin/PayPalYPT/View/PayPalYPT_log/add.json.php:13-16`):\n```php\nif (!User::isAdmin()) {\n $obj-\u003emsg = \"You can\u0027t do this\";\n die(json_encode($obj));\n}\n```\n\nThe `configuration.php` bootstrap file performs no global authentication gating \u2014 it initializes the application framework but does not enforce auth. No `.htaccess` rules restrict access to plugin View directories.\n\n**Data model** (`plugin/PayPalYPT/Objects/PayPalYPT_log.php`): Each record contains `agreement_id`, `users_id`, `json` (full PayPal API response), `recurring_payment_id`, `value` (payment amount), and `token` (PayPal Express Checkout token).\n\nThe identical pattern exists in:\n- `plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php` \u2014 full Authorize.Net webhook payloads\n- `plugin/BTCPayments/View/Btc_payments/list.json.php` \u2014 Bitcoin transaction identifiers and amounts\n\nThis was the exact same vulnerability class patched in commit 83390ab1f for the Scheduler plugin (GHSA-j724-5c6c-68g5), but the fix was only applied to the 3 Scheduler endpoints. A total of 21 `list.json.php` endpoints across the codebase remain unprotected.\n\n## PoC\n\n**Step 1 \u2014 Dump PayPal transaction logs (unauthenticated):**\n```bash\ncurl -s \u0027https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/list.json.php\u0027\n```\nReturns all PayPal transaction records including agreement IDs, tokens, payment amounts, user IDs, and full PayPal API JSON responses.\n\n**Step 2 \u2014 Dump Authorize.Net webhook logs (unauthenticated):**\n```bash\ncurl -s \u0027https://target.com/plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php\u0027\n```\nReturns all Authorize.Net webhook payloads including transaction IDs, event types, and payment details.\n\n**Step 3 \u2014 Dump Bitcoin payment records (unauthenticated):**\n```bash\ncurl -s \u0027https://target.com/plugin/BTCPayments/View/Btc_payments/list.json.php\u0027\n```\nReturns all Bitcoin transaction identifiers, BTC amounts, and store identifiers.\n\n**Step 4 \u2014 Confirm sibling endpoints ARE protected:**\n```bash\ncurl -s -X POST \u0027https://target.com/plugin/PayPalYPT/View/PayPalYPT_log/add.json.php\u0027\n# Returns: {\"error\":true,\"msg\":\"You can\u0027t do this\"}\n```\n\n## Impact\n\n- **Financial data exposure:** Unauthenticated attackers can retrieve all payment transaction records across PayPal, Authorize.Net, and Bitcoin payment providers.\n- **Token leakage:** PayPal Express Checkout tokens and billing agreement IDs are exposed, potentially enabling payment manipulation or account correlation.\n- **PII leakage:** Transaction records contain user ID mappings, payment amounts, and full API responses that may include payer email addresses and names.\n- **Broad scope:** 21 total `list.json.php` endpoints lack auth, also exposing live streaming server infrastructure (`Live_servers`), user connection data, meeting participation logs, and AI transcription responses.\n- **Zero interaction required:** No authentication, no user interaction \u2014 a single GET request dumps the entire table.\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all unprotected `list.json.php` endpoints, matching the pattern used in the Scheduler fix (commit 83390ab1f). For each affected file, add immediately after the `require_once` and `header()` lines:\n\n```php\nif (!User::isAdmin()) {\n $obj = new stdClass();\n $obj-\u003eerror = true;\n $obj-\u003emsg = \"You can\u0027t do this\";\n die(json_encode($obj));\n}\n```\n\nThe full list of files requiring this fix:\n\n1. `plugin/PayPalYPT/View/PayPalYPT_log/list.json.php`\n2. `plugin/AuthorizeNet/View/Anet_webhook_log/list.json.php`\n3. `plugin/BTCPayments/View/Btc_payments/list.json.php`\n4. `plugin/AI/View/Ai_responses/list.json.php`\n5. `plugin/AI/View/Ai_metatags_responses/list.json.php`\n6. `plugin/AI/View/Ai_transcribe_responses/list.json.php`\n7. `plugin/Live/view/Live_servers/list.json.php`\n8. `plugin/Live/view/Live_schedule/list.json.php`\n9. `plugin/Live/view/Live_restreams_logs/list.json.php`\n10. `plugin/SocialMediaPublisher/View/Publisher_schedule/list.json.php`\n11. `plugin/SocialMediaPublisher/View/Publisher_social_medias/list.json.php`\n12. `plugin/Meet/View/Meet_join_log/list.json.php`\n13. `plugin/Meet/View/Meet_schedule_has_users_groups/list.json.php`\n14. `plugin/PlayLists/View/Playlists_schedules/list.json.php`\n15. `plugin/UserConnections/View/Users_connections/list.json.php`\n16. `plugin/UserNotifications/View/User_notifications/list.json.php`\n17. `plugin/VideosStatistics/View/Statistics/list.json.php`\n18. `plugin/VideoTags/View/Tags_subscriptions/list.json.php`\n19. `plugin/CustomizeUser/View/Categories_has_users_groups/list.json.php`\n20. `plugin/CustomizeUser/View/Users_extra_info/list.json.php`\n21. `plugin/ImageGallery/list.json.php`",
"id": "GHSA-wprj-9cvc-5w37",
"modified": "2026-03-29T15:40:52Z",
"published": "2026-03-29T15:40:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/1729a955f8de7e26552eb728b3d1e6f4b1b9352e"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j724-5c6c-68g5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records"
}
GHSA-WPXJ-44W3-2J6X
Vulnerability from github – Published: 2026-05-13 15:30 – Updated: 2026-06-09 02:01Impact
In the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid.
As a concrete example, a user:
- who has permission to create or update
ImageAttachmentrecords - but who lacks permission to view (some or all)
Devicerecords - but who knows (via some other mechanism) the UUID of a specific
Devicethat they do not otherwise have access to
could create via the REST API an ImageAttachment linked to that specific Device.
Other models that use GenericForeignKey and may be writable via the REST API, and hence have a similar vulnerability to ImageAttachment, may include:
ApprovalWorkflowCableConfigContextContactAssociationDataComplianceDeviceExportTemplateGraphQLQueryNoteObjectMetadataRelationshipAssociationStaticGroupAssociationVirtualMachine
Additionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models.
Patches
A general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of "view" permissions when creating or modifying object references via GenericForeignKey throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix.
Workarounds
No known workarounds at this time.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a2"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44794"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:30:46Z",
"nvd_published_at": "2026-05-28T18:16:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIn the case of inter-object references via `GenericForeignKey` (a pattern allowing an object to reference another object that may belong to one of several different \"content types\" or database tables), when creating or updating an object containing a `GenericForeignKey`, Nautobot\u0027s REST API failed to enforce user \"view\" permissions when determining whether a given reference to another object would be valid. \n\nAs a concrete example, a user:\n\n- who has permission to create or update `ImageAttachment` records\n- but who lacks permission to view (some or all) `Device` records\n- _but who knows (via some other mechanism) the UUID of a specific `Device` that they do not otherwise have access to_\n\ncould create via the REST API an `ImageAttachment` linked to that specific `Device`.\n\nOther models that use `GenericForeignKey` and may be writable via the REST API, and hence have a similar vulnerability to `ImageAttachment`, may include:\n\n- `ApprovalWorkflow`\n- `Cable`\n- `ConfigContext`\n- `ContactAssociation`\n- `DataCompliance`\n- `Device`\n- `ExportTemplate`\n- `GraphQLQuery`\n- `Note`\n- `ObjectMetadata`\n- `RelationshipAssociation`\n- `StaticGroupAssociation`\n- `VirtualMachine`\n\nAdditionally, any Nautobot Apps that provide models with a REST API and use GenericForeignKey may have a similar vulnerability for their models.\n\n### Patches\n\nA general-purpose fix has been implemented in Nautobot 2.4.33 and 3.1.2, which ensures correct application of \"view\" permissions when creating or modifying object references via `GenericForeignKey` throughout the REST API. Individual models/views/serializers generally will not require any specific code changes to benefit from this fix.\n\n### Workarounds\n\nNo known workarounds at this time.\n\n### References\n\n- 2.4.33 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1\"\u003epatch\u003c/a\u003e)\n- 3.1.2 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b\"\u003epatch\u003c/a\u003e)",
"id": "GHSA-wpxj-44w3-2j6x",
"modified": "2026-06-09T02:01:03Z",
"published": "2026-05-13T15:30:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44794"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference"
}
GHSA-WQ22-JRVV-WXMV
Vulnerability from github – Published: 2024-04-16 21:31 – Updated: 2026-04-28 21:34Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue affects MoveTo: from n/a through 6.2.
{
"affected": [],
"aliases": [
"CVE-2024-25911"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T19:15:07Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue affects MoveTo: from n/a through 6.2.",
"id": "GHSA-wq22-jrvv-wxmv",
"modified": "2026-04-28T21:34:44Z",
"published": "2024-04-16T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25911"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/moveto/wordpress-moveto-plugin-6-2-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.