Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5505 vulnerabilities reference this CWE, most recent first.

GHSA-JQF5-5C3V-WJ97

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-15T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.",
  "id": "GHSA-jqf5-5c3v-wj97",
  "modified": "2022-05-24T17:28:16Z",
  "published": "2022-05-24T17:28:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13303"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/962231"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13303.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JQPF-VJ28-9V7R

Vulnerability from github – Published: 2026-03-19 03:30 – Updated: 2026-03-20 13:55
VLAI
Summary
Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-gw85-xp4q-5gp9. This link is maintained to preserve external references.

Original Description

OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.2.22"
            },
            {
              "last_affected": "2026.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T13:55:52Z",
    "nvd_published_at": "2026-03-19T02:16:05Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-gw85-xp4q-5gp9. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.",
  "id": "GHSA-jqpf-vj28-9v7r",
  "modified": "2026-03-20T13:55:52Z",
  "published": "2026-03-19T03:30:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-synology-chat-plugin-via-empty-alloweduserids"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch",
  "withdrawn": "2026-03-20T13:55:52Z"
}

GHSA-JQQW-X8W5-V4HH

Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-05-22 15:34
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T14:16:02Z",
    "severity": "LOW"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.",
  "id": "GHSA-jqqw-x8w5-v4hh",
  "modified": "2025-05-22T15:34:50Z",
  "published": "2025-05-22T15:34:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1110"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2972576"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/517693"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQXP-VJX4-H9PV

Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30
VLAI
Details

Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-08T16:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.",
  "id": "GHSA-jqxp-vjx4-h9pv",
  "modified": "2022-12-12T18:30:29Z",
  "published": "2022-12-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39903"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR5R-25MV-WFHM

Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-20T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].",
  "id": "GHSA-jr5r-25mv-wfhm",
  "modified": "2022-07-28T00:00:41Z",
  "published": "2022-07-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34046"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167890/Wavlink-WN533A8-Password-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR83-M233-GG6P

Vulnerability from github – Published: 2024-03-04 20:45 – Updated: 2024-03-06 21:37
VLAI
Summary
Sulu grants access to pages regardless of role permissions
Details

Impact

What kind of vulnerability is it? Who is impacted?

Access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.17 and 2.5.13.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Remove following lines from vendor/symfony/security-http/HttpUtils.php:

-            // Shortcut if request has already been matched before
-            if ($request->attributes->has('_route')) {
-                return $path === $request->attributes->get('_route');
 -           }

Or do not install symfony/security-http versions greater equal than v5.4.30 or v6.3.6.

References

Are there any links users can visit to find out more?

Currently no references.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0-alpha1"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:45:08Z",
    "nvd_published_at": "2024-03-06T20:15:47Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nAccess to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.\n\n### Patches\n\nHas the problem been patched? What versions should users upgrade to?\n\nThe problem is patched with Version `2.4.17` and `2.5.13`.\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nRemove  following lines from `vendor/symfony/security-http/HttpUtils.php`:\n\n```\n-            // Shortcut if request has already been matched before\n-            if ($request-\u003eattributes-\u003ehas(\u0027_route\u0027)) {\n-                return $path === $request-\u003eattributes-\u003eget(\u0027_route\u0027);\n -           }\n```\n\nOr do not install `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\nCurrently no references.\n",
  "id": "GHSA-jr83-m233-gg6p",
  "modified": "2024-03-06T21:37:49Z",
  "published": "2024-03-04T20:45:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sulu/sulu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sulu grants access to pages regardless of role permissions"
}

GHSA-JR8X-R7FP-7RP4

Vulnerability from github – Published: 2024-10-19 00:31 – Updated: 2024-10-19 00:31
VLAI
Details

Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-18T23:15:03Z",
    "severity": "HIGH"
  },
  "details": "Ivanti DSM \u003c version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.",
  "id": "GHSA-jr8x-r7fp-7rp4",
  "modified": "2024-10-19T00:31:54Z",
  "published": "2024-10-19T00:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29213"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-2024-29213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRC5-W569-H7H5

Vulnerability from github – Published: 2026-05-06 20:37 – Updated: 2026-06-09 00:01
VLAI
Summary
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ
Details

Summary

A review of phpMyFAQ-main uncovered an authorization issue in the admin-api routes.

Several backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access API endpoints that are clearly intended for administrative use.

During local reproduction, a regular user account was able to request /admin/api/index.php/dashboard/versions and receive a successful response from the backend management API.

This issue does not appear to give direct write access in the affected paths that were confirmed, so it should be treated as a backend information disclosure and privilege boundary failure rather than full admin compromise.

Details

The access control split is visible in the controller base class:

public function userIsAuthenticated(): void
{
    if (!$this->currentUser->isLoggedIn()) {
        throw new UnauthorizedHttpException('Unauthorized access.');
    }
}

protected function userHasPermission(PermissionType $permissionType): void
{
    // permission-based check
}

The problem is that several Administration\Api controllers use the weaker check even though the routes sit under the backend API namespace.

For example, phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php exposes:

#[Route(path: 'dashboard/versions', name: 'admin.api.dashboard.versions', methods: ['GET'])]
public function versions(): JsonResponse
{
    $this->userIsAuthenticated();
    ...
}

The same pattern appears in other backend-facing controllers, including:

  • LdapController
  • ElasticsearchController
  • OpenSearchController
  • UpdateController

That matters because these endpoints are not part of the normal frontend feature set. They expose backend operational data such as version checks, upgrade state, LDAP configuration, health checks, and search backend status.

Three examples that stand out from an impact perspective are:

  1. GET /admin/api/index.php/ldap/configuration

This can expose LDAP server configuration, mapping settings, group settings, and general authentication-related options. Even with secrets masked, this is still useful internal infrastructure information.

  1. GET /admin/api/index.php/elasticsearch/statistics

If Elasticsearch is enabled, this can expose index names and search backend statistics that should normally stay in the admin area.

  1. GET /admin/api/index.php/health-check

This is part of the update and maintenance workflow and can reveal operational state that ordinary users should not be able to inspect.

In other words, the issue is not that guests can reach the backend. The issue is that any ordinary authenticated user can cross the frontend/backend privilege boundary.

PoC

I reproduced this against a local Docker deployment of the project.

First, an unauthenticated request to the backend API is rejected:

GET /admin/api/index.php/dashboard/versions HTTP/1.1
Host: 127.0.0.1
Accept: application/json

Response:

HTTP/1.0 401 Unauthorized
Content-Type: application/problem+json

{
  "type": "http://127.0.0.1/problems/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Unauthorized access.",
  "instance": "/dashboard/versions"
}

Logged in with a normal frontend account:

  • username: user1
  • password: User12345!

After login, the same request was sent with the user session cookie:

GET /admin/api/index.php/dashboard/versions HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=<regular-user-session>
Accept: application/json

Response:

HTTP/1.0 200 OK
Content-Type: application/json

{"success":"Latest version available: phpMyFAQ 4.1.1"}

That is enough to show that a non-admin account can call at least one backend management endpoint successfully.

Impact

The main impact is unauthorized access to backend-only operational information.

Depending on which optional features are enabled in a real deployment, this may let a normal user learn:

  • upgrade and version status
  • maintenance or health-check information
  • LDAP environment details
  • Elasticsearch or OpenSearch backend status and statistics
  • internal administrative diagnostics

This was rated as Medium severity.

It was not categorized as High severity because the testing done did not confirm a direct administrative state change through the affected read-oriented endpoints. Still, this is a real privilege separation failure. A frontend account should not be able to query backend admin APIs simply because it has a valid session.

Remediation

The suggested approach should fix this in two layers.

  1. Replace userIsAuthenticated() with explicit permission checks on backend endpoints that are intended for administrators only.
  2. Review all Administration\Api controllers for similar cases and make the access model consistent.
  3. Keep backend operational endpoints separated from ordinary user sessions unless there is a strong business reason to expose them.
  4. Add regression tests that log in as a low-privileged user and verify that backend routes return 403 or 401 where appropriate.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.1"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.1.1"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.1"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:37:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA review of `phpMyFAQ-main` uncovered an authorization issue in the `admin-api` routes.\n\nSeveral backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access API endpoints that are clearly intended for administrative use.\n\nDuring local reproduction, a regular user account was able to request `/admin/api/index.php/dashboard/versions` and receive a successful response from the backend management API.\n\nThis issue does not appear to give direct write access in the affected paths that were confirmed, so it should be treated as a backend information disclosure and privilege boundary failure rather than full admin compromise.\n\n### Details\n\nThe access control split is visible in the controller base class:\n\n```php\npublic function userIsAuthenticated(): void\n{\n    if (!$this-\u003ecurrentUser-\u003eisLoggedIn()) {\n        throw new UnauthorizedHttpException(\u0027Unauthorized access.\u0027);\n    }\n}\n\nprotected function userHasPermission(PermissionType $permissionType): void\n{\n    // permission-based check\n}\n```\n\nThe problem is that several `Administration\\Api` controllers use the weaker check even though the routes sit under the backend API namespace.\n\nFor example, `phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php` exposes:\n\n```php\n#[Route(path: \u0027dashboard/versions\u0027, name: \u0027admin.api.dashboard.versions\u0027, methods: [\u0027GET\u0027])]\npublic function versions(): JsonResponse\n{\n    $this-\u003euserIsAuthenticated();\n    ...\n}\n```\n\nThe same pattern appears in other backend-facing controllers, including:\n\n- `LdapController`\n- `ElasticsearchController`\n- `OpenSearchController`\n- `UpdateController`\n\nThat matters because these endpoints are not part of the normal frontend feature set. They expose backend operational data such as version checks, upgrade state, LDAP configuration, health checks, and search backend status.\n\nThree examples that stand out from an impact perspective are:\n\n1. `GET /admin/api/index.php/ldap/configuration`\n\n   This can expose LDAP server configuration, mapping settings, group settings, and general authentication-related options. Even with secrets masked, this is still useful internal infrastructure information.\n\n2. `GET /admin/api/index.php/elasticsearch/statistics`\n\n   If Elasticsearch is enabled, this can expose index names and search backend statistics that should normally stay in the admin area.\n\n3. `GET /admin/api/index.php/health-check`\n\n   This is part of the update and maintenance workflow and can reveal operational state that ordinary users should not be able to inspect.\n\nIn other words, the issue is not that guests can reach the backend. The issue is that any ordinary authenticated user can cross the frontend/backend privilege boundary.\n\n### PoC\n\nI reproduced this against a local Docker deployment of the project.\n\nFirst, an unauthenticated request to the backend API is rejected:\n\n```http\nGET /admin/api/index.php/dashboard/versions HTTP/1.1\nHost: 127.0.0.1\nAccept: application/json\n```\n\nResponse:\n\n```http\nHTTP/1.0 401 Unauthorized\nContent-Type: application/problem+json\n\n{\n  \"type\": \"http://127.0.0.1/problems/unauthorized\",\n  \"title\": \"Unauthorized\",\n  \"status\": 401,\n  \"detail\": \"Unauthorized access.\",\n  \"instance\": \"/dashboard/versions\"\n}\n```\n\nLogged in with a normal frontend account:\n\n- username: `user1`\n- password: `User12345!`\n\nAfter login, the same request was sent with the user session cookie:\n\n```http\nGET /admin/api/index.php/dashboard/versions HTTP/1.1\nHost: 127.0.0.1\nCookie: PHPSESSID=\u003cregular-user-session\u003e\nAccept: application/json\n```\n\nResponse:\n\n```http\nHTTP/1.0 200 OK\nContent-Type: application/json\n\n{\"success\":\"Latest version available: phpMyFAQ 4.1.1\"}\n```\n\nThat is enough to show that a non-admin account can call at least one backend management endpoint successfully.\n\n### Impact\n\nThe main impact is unauthorized access to backend-only operational information.\n\nDepending on which optional features are enabled in a real deployment, this may let a normal user learn:\n\n- upgrade and version status\n- maintenance or health-check information\n- LDAP environment details\n- Elasticsearch or OpenSearch backend status and statistics\n- internal administrative diagnostics\n\nThis was rated as **Medium** severity.\n\nIt was not categorized as **High** severity because the testing done did not confirm a direct administrative state change through the affected read-oriented endpoints. Still, this is a real privilege separation failure. A frontend account should not be able to query backend admin APIs simply because it has a valid session.\n\n### Remediation\n\nThe suggested approach should fix this in two layers.\n\n1. Replace `userIsAuthenticated()` with explicit permission checks on backend endpoints that are intended for administrators only.\n2. Review all `Administration\\Api` controllers for similar cases and make the access model consistent.\n3. Keep backend operational endpoints separated from ordinary user sessions unless there is a strong business reason to expose them.\n4. Add regression tests that log in as a low-privileged user and verify that backend routes return `403` or `401` where appropriate.",
  "id": "GHSA-jrc5-w569-h7h5",
  "modified": "2026-06-09T00:01:48Z",
  "published": "2026-05-06T20:37:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45009"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ"
}

GHSA-JRRV-JM33-8JRV

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-25T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data",
  "id": "GHSA-jrrv-jm33-8jrv",
  "modified": "2022-05-24T19:12:10Z",
  "published": "2022-05-24T19:12:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22244"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1047140"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22244.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/299039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRX5-RPF5-27W3

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21
VLAI
Details

An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-19T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person\u0027s GitHub account.",
  "id": "GHSA-jrx5-rpf5-27w3",
  "modified": "2022-05-24T17:21:12Z",
  "published": "2022-05-24T17:21:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20864"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.