CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5555 vulnerabilities reference this CWE, most recent first.
GHSA-FJGG-QW2X-496W
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.
{
"affected": [],
"aliases": [
"CVE-2024-13282"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:37Z",
"severity": "HIGH"
},
"details": "Incorrect Authorization vulnerability in Drupal Block permissions allows Forceful Browsing.This issue affects Block permissions: from 1.0.0 before 1.2.0.",
"id": "GHSA-fjgg-qw2x-496w",
"modified": "2025-01-10T18:31:40Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13282"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-046"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJHG-3MRH-MM7H
Vulnerability from github – Published: 2025-06-20 15:25 – Updated: 2025-06-27 22:57DNN.PLATFORM allows a specially crafted request or proxy to be created that would bypass the design of DNN Login IP Filters allowing login attempts from IP Adresses not in the allow list. This vulnerability is fixed in 10.0.1.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "DNN.PLATFORM"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "10.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52487"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-20T15:25:03Z",
"nvd_published_at": "2025-06-21T03:15:24Z",
"severity": "HIGH"
},
"details": "DNN.PLATFORM allows a specially crafted request or proxy to be created that would bypass the design of DNN Login IP Filters allowing login attempts from IP Adresses not in the allow list. This vulnerability is fixed in 10.0.1.",
"id": "GHSA-fjhg-3mrh-mm7h",
"modified": "2025-06-27T22:57:25Z",
"published": "2025-06-20T15:25:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fjhg-3mrh-mm7h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52487"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnnsoftware/Dnn.Platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DNN.PLATFORM possibly allows bypass of IP Filters"
}
GHSA-FJM8-M7M6-2FJP
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-16 21:39An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2990"
],
"database_specific": {
"cwe_ids": [
"CWE-842",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:24:17Z",
"nvd_published_at": "2022-09-13T14:15:00Z",
"severity": "HIGH"
},
"details": "An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.",
"id": "GHSA-fjm8-m7m6-2fjp",
"modified": "2022-09-16T21:39:13Z",
"published": "2022-09-14T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2990"
},
{
"type": "WEB",
"url": "https://github.com/containers/buildah/pull/4200"
},
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-2990"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2121453"
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1008"
},
{
"type": "WEB",
"url": "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Buildah\u0027s incorrect handling of the supplementary groups may lead to data disclosure, modification"
}
GHSA-FJV4-6MWC-7524
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2026-07-05 00:31Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS
{
"affected": [],
"aliases": [
"CVE-2020-29189"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-24T15:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect Access Control vulnerability in TerraMaster TOS \u003c= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS",
"id": "GHSA-fjv4-6mwc-7524",
"modified": "2026-07-05T00:31:16Z",
"published": "2022-05-24T17:37:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29189"
},
{
"type": "WEB",
"url": "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "http://terramaster.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJVH-MCHR-664C
Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-06-07 00:00A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.
{
"affected": [],
"aliases": [
"CVE-2021-3956"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-18T16:15:00Z",
"severity": "MODERATE"
},
"details": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected.",
"id": "GHSA-fjvh-mchr-664c",
"modified": "2022-06-07T00:00:32Z",
"published": "2022-05-19T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3956"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-72074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FM3M-2GF9-6P64
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.
{
"affected": [],
"aliases": [
"CVE-2022-0594"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T13:15:00Z",
"severity": "MODERATE"
},
"details": "The Professional Social Sharing Buttons, Icons \u0026 Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v \u003c 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.",
"id": "GHSA-fm3m-2gf9-6p64",
"modified": "2022-07-30T00:00:34Z",
"published": "2022-07-26T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0594"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/4de9451e-2c8d-4d99-a255-b027466d29b1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FM4H-HQGF-7Q6J
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06Moxa PT-7728 devices with software 3.4 build 15081113 allow remote authenticated users to change the configuration via vectors involving a local proxy.
{
"affected": [],
"aliases": [
"CVE-2016-4514"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-06-19T20:59:00Z",
"severity": "HIGH"
},
"details": "Moxa PT-7728 devices with software 3.4 build 15081113 allow remote authenticated users to change the configuration via vectors involving a local proxy.",
"id": "GHSA-fm4h-hqgf-7q6j",
"modified": "2022-05-13T01:06:02Z",
"published": "2022-05-13T01:06:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4514"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-168-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FMH9-GPQH-G53G
Vulnerability from github – Published: 2026-05-13 15:33 – Updated: 2026-05-15 23:45Summary
The advisory GHSA-c77m-r996-jr3q patched getBookmark so that, when invoked by a publish-mode RoleReader, results are filtered through FilterBlocksByPublishAccess to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.
Details
Affected files / lines (v3.6.5):
kernel/api/router.go:181-190 — all four endpoints registered with CheckAuth only, which the publish-service RoleReader JWT passes:
ginServer.Handle("POST", "/api/search/searchTag", model.CheckAuth, searchTag)
ginServer.Handle("POST", "/api/search/searchTemplate", model.CheckAuth, searchTemplate)
ginServer.Handle("POST", "/api/search/searchWidget", model.CheckAuth, searchWidget)
ginServer.Handle("POST", "/api/search/searchAsset", model.CheckAuth, searchAsset)
kernel/api/search.go — none of the four handlers branches on model.IsReadOnlyRoleContext(c) to filter the response, while their peers in the same file do. Compare:
// :29-65 listInvalidBlockRefs — DOES filter:
if model.IsReadOnlyRoleContext(c) {
publishAccess := model.GetPublishAccess()
blocks = model.FilterBlocksByPublishAccess(c, publishAccess, blocks)
}
// :67-93 getAssetContent — DOES filter (FilterAssetContentByPublishAccess)
// :95-115 fullTextSearchAssetContent — DOES filter
// :250-285 getEmbedBlock — DOES filter (FilterEmbedBlocksByPublishAccess)
// :156-176 searchAsset — does NOT filter
ret.Data = model.SearchAssetsByName(k, exts)
// :178-196 searchTag — does NOT filter
tags := model.SearchTags(k)
ret.Data = map[string]any{"tags": tags, "k": k}
// :198-213 searchWidget — does NOT filter
widgets := model.SearchWidget(keyword)
// :233-248 searchTemplate — does NOT filter
templates := model.SearchTemplate(keyword)
model.SearchAssetsByName, model.SearchTags, model.SearchWidget, model.SearchTemplate operate over the entire workspace database / filesystem, not just the publish-visible subset. A FilterTagsByPublishIgnore helper already exists in kernel/model/ and is used by getTag itself (kernel/api/tag.go:58-62), confirming the maintainers' intent.
PoC
End-to-end reproduction requires enabling the SiYuan publish service, marking one notebook as private to publish access, and obtaining a RoleReader JWT from the publish reverse-proxy (per kernel/server/proxy/publish.go). Once authenticated as the Reader against the publish port:
# Returns ALL tags across the workspace, including ones drawn only from the publish-private notebook.
curl -X POST https://<publish-host>/api/search/searchTag \
-H 'Authorization: Bearer <reader-jwt>' \
-H 'Content-Type: application/json' \
-d '{"k":""}'
# Returns ALL asset filenames (e.g., CV.pdf, contract.docx, salary-2026.xlsx) regardless of source notebook.
curl -X POST https://<publish-host>/api/search/searchAsset \
-H 'Authorization: Bearer <reader-jwt>' \
-H 'Content-Type: application/json' \
-d '{"k":""}'
curl -X POST https://<publish-host>/api/search/searchWidget -H '...' -d '{"k":""}'
curl -X POST https://<publish-host>/api/search/searchTemplate -H '...' -d '{"k":""}'
Each call returns the global result set without applying FilterTagsByPublishIgnore / FilterAssetContentByPublishAccess / equivalent.
In this audit I source-confirmed the missing branch in v3.6.5 but did not stand up the full publish-service flow. The fix is straightforward enough that the source-level evidence should be sufficient for triage.
Impact
A publish-service Reader (the role assigned to anonymous publish visitors by default) can enumerate:
- All tag strings used anywhere in the workspace — frequently contains person names, project codenames, internal identifiers.
- All asset filenames uploaded to the workspace — frequently contains the contents of
CV.pdf,contract.docx,salary-2026.xlsx, etc. - All widget names and template names installed in the workspace.
This violates the publish-service trust boundary. Users intentionally mark notebooks as "invisible to publish" specifically to keep this metadata out of public reach.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260512140701-d7b77d945e0d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45148"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:33:03Z",
"nvd_published_at": "2026-05-14T19:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe advisory `GHSA-c77m-r996-jr3q` patched `getBookmark` so that, when invoked by a publish-mode `RoleReader`, results are filtered through `FilterBlocksByPublishAccess` to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file did not receive the equivalent treatment and continue to expose metadata across the publish-access boundary.\n\n### Details\n\n**Affected files / lines (v3.6.5):**\n\n`kernel/api/router.go:181-190` \u2014 all four endpoints registered with `CheckAuth` only, which the publish-service `RoleReader` JWT passes:\n\n```go\nginServer.Handle(\"POST\", \"/api/search/searchTag\", model.CheckAuth, searchTag)\nginServer.Handle(\"POST\", \"/api/search/searchTemplate\", model.CheckAuth, searchTemplate)\nginServer.Handle(\"POST\", \"/api/search/searchWidget\", model.CheckAuth, searchWidget)\nginServer.Handle(\"POST\", \"/api/search/searchAsset\", model.CheckAuth, searchAsset)\n```\n\n`kernel/api/search.go` \u2014 none of the four handlers branches on `model.IsReadOnlyRoleContext(c)` to filter the response, while their *peers* in the same file do. Compare:\n\n```go\n// :29-65 listInvalidBlockRefs \u2014 DOES filter:\nif model.IsReadOnlyRoleContext(c) {\n publishAccess := model.GetPublishAccess()\n blocks = model.FilterBlocksByPublishAccess(c, publishAccess, blocks)\n}\n\n// :67-93 getAssetContent \u2014 DOES filter (FilterAssetContentByPublishAccess)\n// :95-115 fullTextSearchAssetContent \u2014 DOES filter\n// :250-285 getEmbedBlock \u2014 DOES filter (FilterEmbedBlocksByPublishAccess)\n\n// :156-176 searchAsset \u2014 does NOT filter\nret.Data = model.SearchAssetsByName(k, exts)\n\n// :178-196 searchTag \u2014 does NOT filter\ntags := model.SearchTags(k)\nret.Data = map[string]any{\"tags\": tags, \"k\": k}\n\n// :198-213 searchWidget \u2014 does NOT filter\nwidgets := model.SearchWidget(keyword)\n\n// :233-248 searchTemplate \u2014 does NOT filter\ntemplates := model.SearchTemplate(keyword)\n```\n\n`model.SearchAssetsByName`, `model.SearchTags`, `model.SearchWidget`, `model.SearchTemplate` operate over the entire workspace database / filesystem, not just the publish-visible subset. A `FilterTagsByPublishIgnore` helper *already exists* in `kernel/model/` and is used by `getTag` itself (`kernel/api/tag.go:58-62`), confirming the maintainers\u0027 intent.\n\n### PoC\n\nEnd-to-end reproduction requires enabling the SiYuan publish service, marking one notebook as private to publish access, and obtaining a `RoleReader` JWT from the publish reverse-proxy (per `kernel/server/proxy/publish.go`). Once authenticated as the Reader against the publish port:\n\n```bash\n# Returns ALL tags across the workspace, including ones drawn only from the publish-private notebook.\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchTag \\\n -H \u0027Authorization: Bearer \u003creader-jwt\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"k\":\"\"}\u0027\n\n# Returns ALL asset filenames (e.g., CV.pdf, contract.docx, salary-2026.xlsx) regardless of source notebook.\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchAsset \\\n -H \u0027Authorization: Bearer \u003creader-jwt\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"k\":\"\"}\u0027\n\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchWidget -H \u0027...\u0027 -d \u0027{\"k\":\"\"}\u0027\ncurl -X POST https://\u003cpublish-host\u003e/api/search/searchTemplate -H \u0027...\u0027 -d \u0027{\"k\":\"\"}\u0027\n```\n\nEach call returns the global result set without applying `FilterTagsByPublishIgnore` / `FilterAssetContentByPublishAccess` / equivalent.\n\nIn this audit I source-confirmed the missing branch in v3.6.5 but did not stand up the full publish-service flow. The fix is straightforward enough that the source-level evidence should be sufficient for triage.\n\n### Impact\n\nA publish-service Reader (the role assigned to anonymous publish visitors by default) can enumerate:\n\n- All tag strings used anywhere in the workspace \u2014 frequently contains person names, project codenames, internal identifiers.\n- All asset filenames uploaded to the workspace \u2014 frequently contains the contents of `CV.pdf`, `contract.docx`, `salary-2026.xlsx`, etc.\n- All widget names and template names installed in the workspace.\n\nThis violates the publish-service trust boundary. Users intentionally mark notebooks as \"invisible to publish\" specifically to keep this metadata out of public reach.",
"id": "GHSA-fmh9-gpqh-g53g",
"modified": "2026-05-15T23:45:20Z",
"published": "2026-05-13T15:33:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fmh9-gpqh-g53g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45148"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode"
}
GHSA-FMJ6-GCWC-6452
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
{
"affected": [],
"aliases": [
"CVE-2021-40875"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-22T15:15:00Z",
"severity": "HIGH"
},
"details": "Improper Access Control in Gurock TestRail versions \u003c 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.",
"id": "GHSA-fmj6-gcwc-6452",
"modified": "2022-07-13T00:01:40Z",
"published": "2022-05-24T19:15:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40875"
},
{
"type": "WEB",
"url": "https://github.com/SakuraSamuraii/derailed"
},
{
"type": "WEB",
"url": "https://johnjhacking.com/blog/cve-2021-40875"
},
{
"type": "WEB",
"url": "https://www.gurock.com/testrail/tour/enterprise-edition"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMQF-PMCM-8CX9
Vulnerability from github – Published: 2025-12-24 09:30 – Updated: 2026-02-27 22:04Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20251121122154-b57c297c6d7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.12.0"
},
{
"fixed": "10.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.1.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13767"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-26T18:40:17Z",
"nvd_published_at": "2025-12-24T08:15:45Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.1.x \u003c= 11.1.0, 11.0.x \u003c= 11.0.5, 10.12.x \u003c= 10.12.3, 10.11.x \u003c= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.",
"id": "GHSA-fmqf-pmcm-8cx9",
"modified": "2026-02-27T22:04:19Z",
"published": "2025-12-24T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13767"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/pull/34551"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deee"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost doesn\u0027t validate user channel membership when attaching Mattermost posts as comments to Jira issues"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.