Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5555 vulnerabilities reference this CWE, most recent first.

GHSA-FJGG-QW2X-496W

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31
VLAI
Details

Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:37Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.",
  "id": "GHSA-fjgg-qw2x-496w",
  "modified": "2025-01-10T18:31:40Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13282"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJHG-3MRH-MM7H

Vulnerability from github – Published: 2025-06-20 15:25 – Updated: 2025-06-27 22:57
VLAI
Summary
DNN.PLATFORM possibly allows bypass of IP Filters
Details

DNN.PLATFORM allows a specially crafted request or proxy to be created that would bypass the design of DNN Login IP Filters allowing login attempts from IP Adresses not in the allow list. This vulnerability is fixed in 10.0.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "DNN.PLATFORM"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "10.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-20T15:25:03Z",
    "nvd_published_at": "2025-06-21T03:15:24Z",
    "severity": "HIGH"
  },
  "details": "DNN.PLATFORM allows a specially crafted request or proxy to be created that would bypass the design of DNN Login IP Filters allowing login attempts from IP Adresses not in the allow list. This vulnerability is fixed in 10.0.1.",
  "id": "GHSA-fjhg-3mrh-mm7h",
  "modified": "2025-06-27T22:57:25Z",
  "published": "2025-06-20T15:25:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fjhg-3mrh-mm7h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52487"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dnnsoftware/Dnn.Platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DNN.PLATFORM possibly allows bypass of IP Filters"
}

GHSA-FJM8-M7M6-2FJP

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-16 21:39
VLAI
Summary
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification
Details

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-842",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:24:17Z",
    "nvd_published_at": "2022-09-13T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.",
  "id": "GHSA-fjm8-m7m6-2fjp",
  "modified": "2022-09-16T21:39:13Z",
  "published": "2022-09-14T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/pull/4200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2990"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2121453"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/buildah"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1008"
    },
    {
      "type": "WEB",
      "url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Buildah\u0027s incorrect handling of the supplementary groups may lead to data disclosure, modification"
}

GHSA-FJV4-6MWC-7524

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2026-07-05 00:31
VLAI
Details

Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Access Control vulnerability in TerraMaster TOS \u003c= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS",
  "id": "GHSA-fjv4-6mwc-7524",
  "modified": "2026-07-05T00:31:16Z",
  "published": "2022-05-24T17:37:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29189"
    },
    {
      "type": "WEB",
      "url": "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "http://terramaster.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJVH-MCHR-664C

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-06-07 00:00
VLAI
Details

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected.",
  "id": "GHSA-fjvh-mchr-664c",
  "modified": "2022-06-07T00:00:32Z",
  "published": "2022-05-19T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3956"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM3M-2GF9-6P64

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00
VLAI
Details

The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Professional Social Sharing Buttons, Icons \u0026 Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v \u003c 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.",
  "id": "GHSA-fm3m-2gf9-6p64",
  "modified": "2022-07-30T00:00:34Z",
  "published": "2022-07-26T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0594"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/4de9451e-2c8d-4d99-a255-b027466d29b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM4H-HQGF-7Q6J

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Moxa PT-7728 devices with software 3.4 build 15081113 allow remote authenticated users to change the configuration via vectors involving a local proxy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-06-19T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "Moxa PT-7728 devices with software 3.4 build 15081113 allow remote authenticated users to change the configuration via vectors involving a local proxy.",
  "id": "GHSA-fm4h-hqgf-7q6j",
  "modified": "2022-05-13T01:06:02Z",
  "published": "2022-05-13T01:06:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4514"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-168-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMH9-GPQH-G53G

Vulnerability from github – Published: 2026-05-13 15:33 – Updated: 2026-05-15 23:45
VLAI
Summary
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
Details

Summary

The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.

Details

Affected files / lines (v3.6.5):

kernel/api/router.go:181-190 — all four endpoints registered with CheckAuth only, which the publish-service RoleReader JWT passes:

ginServer.Handle("POST", "/api/search/searchTag",      model.CheckAuth, searchTag)
ginServer.Handle("POST", "/api/search/searchTemplate", model.CheckAuth, searchTemplate)
ginServer.Handle("POST", "/api/search/searchWidget",   model.CheckAuth, searchWidget)
ginServer.Handle("POST", "/api/search/searchAsset",    model.CheckAuth, searchAsset)

kernel/api/search.go — none of the four handlers branches on model.IsReadOnlyRoleContext(c) to filter the response, while their peers in the same file do. Compare:

// :29-65  listInvalidBlockRefs — DOES filter:
if model.IsReadOnlyRoleContext(c) {
    publishAccess := model.GetPublishAccess()
    blocks = model.FilterBlocksByPublishAccess(c, publishAccess, blocks)
}

// :67-93  getAssetContent — DOES filter (FilterAssetContentByPublishAccess)
// :95-115 fullTextSearchAssetContent — DOES filter
// :250-285 getEmbedBlock — DOES filter (FilterEmbedBlocksByPublishAccess)

// :156-176 searchAsset — does NOT filter
ret.Data = model.SearchAssetsByName(k, exts)

// :178-196 searchTag — does NOT filter
tags := model.SearchTags(k)
ret.Data = map[string]any{"tags": tags, "k": k}

// :198-213 searchWidget — does NOT filter
widgets := model.SearchWidget(keyword)

// :233-248 searchTemplate — does NOT filter
templates := model.SearchTemplate(keyword)

model.SearchAssetsByName, model.SearchTags, model.SearchWidget, model.SearchTemplate operate over the entire workspace database / filesystem, not just the publish-visible subset. A FilterTagsByPublishIgnore helper already exists in kernel/model/ and is used by getTag itself (kernel/api/tag.go:58-62), confirming the maintainers' intent.

PoC

End-to-end reproduction requires enabling the SiYuan publish service, marking one notebook as private to publish access, and obtaining a RoleReader JWT from the publish reverse-proxy (per kernel/server/proxy/publish.go). Once authenticated as the Reader against the publish port:

# Returns ALL tags across the workspace, including ones drawn only from the publish-private notebook.
curl -X POST https://<publish-host>/api/search/searchTag \
     -H 'Authorization: Bearer <reader-jwt>' \
     -H 'Content-Type: application/json' \
     -d '{"k":""}'

# Returns ALL asset filenames (e.g., CV.pdf, contract.docx, salary-2026.xlsx) regardless of source notebook.
curl -X POST https://<publish-host>/api/search/searchAsset \
     -H 'Authorization: Bearer <reader-jwt>' \
     -H 'Content-Type: application/json' \
     -d '{"k":""}'

curl -X POST https://<publish-host>/api/search/searchWidget   -H '...' -d '{"k":""}'
curl -X POST https://<publish-host>/api/search/searchTemplate -H '...' -d '{"k":""}'

Each call returns the global result set without applying FilterTagsByPublishIgnore / FilterAssetContentByPublishAccess / equivalent.

In this audit I source-confirmed the missing branch in v3.6.5 but did not stand up the full publish-service flow. The fix is straightforward enough that the source-level evidence should be sufficient for triage.

Impact

A publish-service Reader (the role assigned to anonymous publish visitors by default) can enumerate:

  • All tag strings used anywhere in the workspace — frequently contains person names, project codenames, internal identifiers.
  • All asset filenames uploaded to the workspace — frequently contains the contents of CV.pdf, contract.docx, salary-2026.xlsx, etc.
  • All widget names and template names installed in the workspace.

This violates the publish-service trust boundary. Users intentionally mark notebooks as "invisible to publish" specifically to keep this metadata out of public reach.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260512140701-d7b77d945e0d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T15:33:03Z",
    "nvd_published_at": "2026-05-14T19:16:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe advisory `GHSA-c77m-r996-jr3q` patched `getBookmark` so that, when invoked by a publish-mode `RoleReader`, results are filtered through `FilterBlocksByPublishAccess` to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.\n\n### Details\n\n**Affected files / lines (v3.6.5):**\n\n`kernel/api/router.go:181-190` \u2014 all four endpoints registered with `CheckAuth` only, which the publish-service `RoleReader` JWT passes:\n\n```go\nginServer.Handle(\"POST\", \"/api/search/searchTag\",      model.CheckAuth, searchTag)\nginServer.Handle(\"POST\", \"/api/search/searchTemplate\", model.CheckAuth, searchTemplate)\nginServer.Handle(\"POST\", \"/api/search/searchWidget\",   model.CheckAuth, searchWidget)\nginServer.Handle(\"POST\", \"/api/search/searchAsset\",    model.CheckAuth, searchAsset)\n```\n\n`kernel/api/search.go` \u2014 none of the four handlers branches on `model.IsReadOnlyRoleContext(c)` to filter the response, while their *peers* in the same file do. Compare:\n\n```go\n// :29-65  listInvalidBlockRefs \u2014 DOES filter:\nif model.IsReadOnlyRoleContext(c) {\n    publishAccess := model.GetPublishAccess()\n    blocks = model.FilterBlocksByPublishAccess(c, publishAccess, blocks)\n}\n\n// :67-93  getAssetContent \u2014 DOES filter (FilterAssetContentByPublishAccess)\n// :95-115 fullTextSearchAssetContent \u2014 DOES filter\n// :250-285 getEmbedBlock \u2014 DOES filter (FilterEmbedBlocksByPublishAccess)\n\n// :156-176 searchAsset \u2014 does NOT filter\nret.Data = model.SearchAssetsByName(k, exts)\n\n// :178-196 searchTag \u2014 does NOT filter\ntags := model.SearchTags(k)\nret.Data = map[string]any{\"tags\": tags, \"k\": k}\n\n// :198-213 searchWidget \u2014 does NOT filter\nwidgets := model.SearchWidget(keyword)\n\n// :233-248 searchTemplate \u2014 does NOT filter\ntemplates := model.SearchTemplate(keyword)\n```\n\n`model.SearchAssetsByName`, `model.SearchTags`, `model.SearchWidget`, `model.SearchTemplate` operate over the entire workspace database / filesystem, not just the publish-visible subset. A `FilterTagsByPublishIgnore` helper *already exists* in `kernel/model/` and is used by `getTag` itself (`kernel/api/tag.go:58-62`), confirming the maintainers\u0027 intent.\n\n### PoC\n\nEnd-to-end reproduction requires enabling the SiYuan publish service, marking one notebook as private to publish access, and obtaining a `RoleReader` JWT from the publish reverse-proxy (per `kernel/server/proxy/publish.go`). Once authenticated as the Reader against the publish port:\n\n```bash\n# Returns ALL tags across the workspace, including ones drawn only from the publish-private notebook.\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchTag \\\n     -H \u0027Authorization: Bearer \u003creader-jwt\u003e\u0027 \\\n     -H \u0027Content-Type: application/json\u0027 \\\n     -d \u0027{\"k\":\"\"}\u0027\n\n# Returns ALL asset filenames (e.g., CV.pdf, contract.docx, salary-2026.xlsx) regardless of source notebook.\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchAsset \\\n     -H \u0027Authorization: Bearer \u003creader-jwt\u003e\u0027 \\\n     -H \u0027Content-Type: application/json\u0027 \\\n     -d \u0027{\"k\":\"\"}\u0027\n\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchWidget   -H \u0027...\u0027 -d \u0027{\"k\":\"\"}\u0027\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchTemplate -H \u0027...\u0027 -d \u0027{\"k\":\"\"}\u0027\n```\n\nEach call returns the global result set without applying `FilterTagsByPublishIgnore` / `FilterAssetContentByPublishAccess` / equivalent.\n\nIn this audit I source-confirmed the missing branch in v3.6.5 but did not stand up the full publish-service flow. The fix is straightforward enough that the source-level evidence should be sufficient for triage.\n\n### Impact\n\nA publish-service Reader (the role assigned to anonymous publish visitors by default) can enumerate:\n\n- All tag strings used anywhere in the workspace \u2014 frequently contains person names, project codenames, internal identifiers.\n- All asset filenames uploaded to the workspace \u2014 frequently contains the contents of `CV.pdf`, `contract.docx`, `salary-2026.xlsx`, etc.\n- All widget names and template names installed in the workspace.\n\nThis violates the publish-service trust boundary. Users intentionally mark notebooks as \"invisible to publish\" specifically to keep this metadata out of public reach.",
  "id": "GHSA-fmh9-gpqh-g53g",
  "modified": "2026-05-15T23:45:20Z",
  "published": "2026-05-13T15:33:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fmh9-gpqh-g53g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45148"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode"
}

GHSA-FMJ6-GCWC-6452

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01
VLAI
Details

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-22T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Access Control in Gurock TestRail versions \u003c 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.",
  "id": "GHSA-fmj6-gcwc-6452",
  "modified": "2022-07-13T00:01:40Z",
  "published": "2022-05-24T19:15:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40875"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SakuraSamuraii/derailed"
    },
    {
      "type": "WEB",
      "url": "https://johnjhacking.com/blog/cve-2021-40875"
    },
    {
      "type": "WEB",
      "url": "https://www.gurock.com/testrail/tour/enterprise-edition"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMQF-PMCM-8CX9

Vulnerability from github – Published: 2025-12-24 09:30 – Updated: 2026-02-27 22:04
VLAI
Summary
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
Details

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20251121122154-b57c297c6d7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0"
            },
            {
              "fixed": "10.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.12.0"
            },
            {
              "fixed": "10.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-26T18:40:17Z",
    "nvd_published_at": "2025-12-24T08:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.1.x \u003c= 11.1.0, 11.0.x \u003c= 11.0.5, 10.12.x \u003c= 10.12.3, 10.11.x \u003c= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.",
  "id": "GHSA-fmqf-pmcm-8cx9",
  "modified": "2026-02-27T22:04:19Z",
  "published": "2025-12-24T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/pull/34551"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4259"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost doesn\u0027t validate user channel membership when attaching Mattermost posts as comments to Jira issues"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.