CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5505 vulnerabilities reference this CWE, most recent first.
GHSA-JQF5-5C3V-WJ97
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
{
"affected": [],
"aliases": [
"CVE-2020-13303"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T13:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.",
"id": "GHSA-jqf5-5c3v-wj97",
"modified": "2022-05-24T17:28:16Z",
"published": "2022-05-24T17:28:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13303"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/962231"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13303.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238887"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQPF-VJ28-9V7R
Vulnerability from github – Published: 2026-03-19 03:30 – Updated: 2026-03-20 13:55Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gw85-xp4q-5gp9. This link is maintained to preserve external references.
Original Description
OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2026.2.22"
},
{
"last_affected": "2026.2.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T13:55:52Z",
"nvd_published_at": "2026-03-19T02:16:05Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-gw85-xp4q-5gp9. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.",
"id": "GHSA-jqpf-vj28-9v7r",
"modified": "2026-03-20T13:55:52Z",
"published": "2026-03-19T03:30:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-synology-chat-plugin-via-empty-alloweduserids"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch",
"withdrawn": "2026-03-20T13:55:52Z"
}
GHSA-JQQW-X8W5-V4HH
Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-05-22 15:34An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
{
"affected": [],
"aliases": [
"CVE-2025-1110"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T14:16:02Z",
"severity": "LOW"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.",
"id": "GHSA-jqqw-x8w5-v4hh",
"modified": "2025-05-22T15:34:50Z",
"published": "2025-05-22T15:34:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1110"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2972576"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/517693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQXP-VJX4-H9PV
Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.
{
"affected": [],
"aliases": [
"CVE-2022-39903"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-08T16:15:00Z",
"severity": "LOW"
},
"details": "Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.",
"id": "GHSA-jqxp-vjx4-h9pv",
"modified": "2022-12-12T18:30:29Z",
"published": "2022-12-08T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39903"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR5R-25MV-WFHM
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].
{
"affected": [],
"aliases": [
"CVE-2022-34046"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T17:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Wavlink WN533A8 M33A8.V5030.190716 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/sysinit.shtml?r=52300 and searching for [logincheck(user);].",
"id": "GHSA-jr5r-25mv-wfhm",
"modified": "2022-07-28T00:00:41Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34046"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167890/Wavlink-WN533A8-Password-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR83-M233-GG6P
Vulnerability from github – Published: 2024-03-04 20:45 – Updated: 2024-03-06 21:37Impact
What kind of vulnerability is it? Who is impacted?
Access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem is patched with Version 2.4.17 and 2.5.13.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Remove following lines from vendor/symfony/security-http/HttpUtils.php:
- // Shortcut if request has already been matched before
- if ($request->attributes->has('_route')) {
- return $path === $request->attributes->get('_route');
- }
Or do not install symfony/security-http versions greater equal than v5.4.30 or v6.3.6.
References
Are there any links users can visit to find out more?
Currently no references.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sulu/sulu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sulu/sulu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0-alpha1"
},
{
"fixed": "2.5.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27915"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:45:08Z",
"nvd_published_at": "2024-03-06T20:15:47Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nAccess to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.\n\n### Patches\n\nHas the problem been patched? What versions should users upgrade to?\n\nThe problem is patched with Version `2.4.17` and `2.5.13`.\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nRemove following lines from `vendor/symfony/security-http/HttpUtils.php`:\n\n```\n- // Shortcut if request has already been matched before\n- if ($request-\u003eattributes-\u003ehas(\u0027_route\u0027)) {\n- return $path === $request-\u003eattributes-\u003eget(\u0027_route\u0027);\n - }\n```\n\nOr do not install `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\nCurrently no references.\n",
"id": "GHSA-jr83-m233-gg6p",
"modified": "2024-03-06T21:37:49Z",
"published": "2024-03-04T20:45:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27915"
},
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da"
},
{
"type": "PACKAGE",
"url": "https://github.com/sulu/sulu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sulu grants access to pages regardless of role permissions"
}
GHSA-JR8X-R7FP-7RP4
Vulnerability from github – Published: 2024-10-19 00:31 – Updated: 2024-10-19 00:31Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.
{
"affected": [],
"aliases": [
"CVE-2024-29213"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-18T23:15:03Z",
"severity": "HIGH"
},
"details": "Ivanti DSM \u003c version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector.",
"id": "GHSA-jr8x-r7fp-7rp4",
"modified": "2024-10-19T00:31:54Z",
"published": "2024-10-19T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29213"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/SA-2024-07-12-CVE-2024-29213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRC5-W569-H7H5
Vulnerability from github – Published: 2026-05-06 20:37 – Updated: 2026-06-09 00:01Summary
A review of phpMyFAQ-main uncovered an authorization issue in the admin-api routes.
Several backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access API endpoints that are clearly intended for administrative use.
During local reproduction, a regular user account was able to request /admin/api/index.php/dashboard/versions and receive a successful response from the backend management API.
This issue does not appear to give direct write access in the affected paths that were confirmed, so it should be treated as a backend information disclosure and privilege boundary failure rather than full admin compromise.
Details
The access control split is visible in the controller base class:
public function userIsAuthenticated(): void
{
if (!$this->currentUser->isLoggedIn()) {
throw new UnauthorizedHttpException('Unauthorized access.');
}
}
protected function userHasPermission(PermissionType $permissionType): void
{
// permission-based check
}
The problem is that several Administration\Api controllers use the weaker check even though the routes sit under the backend API namespace.
For example, phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php exposes:
#[Route(path: 'dashboard/versions', name: 'admin.api.dashboard.versions', methods: ['GET'])]
public function versions(): JsonResponse
{
$this->userIsAuthenticated();
...
}
The same pattern appears in other backend-facing controllers, including:
LdapControllerElasticsearchControllerOpenSearchControllerUpdateController
That matters because these endpoints are not part of the normal frontend feature set. They expose backend operational data such as version checks, upgrade state, LDAP configuration, health checks, and search backend status.
Three examples that stand out from an impact perspective are:
GET /admin/api/index.php/ldap/configuration
This can expose LDAP server configuration, mapping settings, group settings, and general authentication-related options. Even with secrets masked, this is still useful internal infrastructure information.
GET /admin/api/index.php/elasticsearch/statistics
If Elasticsearch is enabled, this can expose index names and search backend statistics that should normally stay in the admin area.
GET /admin/api/index.php/health-check
This is part of the update and maintenance workflow and can reveal operational state that ordinary users should not be able to inspect.
In other words, the issue is not that guests can reach the backend. The issue is that any ordinary authenticated user can cross the frontend/backend privilege boundary.
PoC
I reproduced this against a local Docker deployment of the project.
First, an unauthenticated request to the backend API is rejected:
GET /admin/api/index.php/dashboard/versions HTTP/1.1
Host: 127.0.0.1
Accept: application/json
Response:
HTTP/1.0 401 Unauthorized
Content-Type: application/problem+json
{
"type": "http://127.0.0.1/problems/unauthorized",
"title": "Unauthorized",
"status": 401,
"detail": "Unauthorized access.",
"instance": "/dashboard/versions"
}
Logged in with a normal frontend account:
- username:
user1 - password:
User12345!
After login, the same request was sent with the user session cookie:
GET /admin/api/index.php/dashboard/versions HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=<regular-user-session>
Accept: application/json
Response:
HTTP/1.0 200 OK
Content-Type: application/json
{"success":"Latest version available: phpMyFAQ 4.1.1"}
That is enough to show that a non-admin account can call at least one backend management endpoint successfully.
Impact
The main impact is unauthorized access to backend-only operational information.
Depending on which optional features are enabled in a real deployment, this may let a normal user learn:
- upgrade and version status
- maintenance or health-check information
- LDAP environment details
- Elasticsearch or OpenSearch backend status and statistics
- internal administrative diagnostics
This was rated as Medium severity.
It was not categorized as High severity because the testing done did not confirm a direct administrative state change through the affected read-oriented endpoints. Still, this is a real privilege separation failure. A frontend account should not be able to query backend admin APIs simply because it has a valid session.
Remediation
The suggested approach should fix this in two layers.
- Replace
userIsAuthenticated()with explicit permission checks on backend endpoints that are intended for administrators only. - Review all
Administration\Apicontrollers for similar cases and make the access model consistent. - Keep backend operational endpoints separated from ordinary user sessions unless there is a strong business reason to expose them.
- Add regression tests that log in as a low-privileged user and verify that backend routes return
403or401where appropriate.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.1"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.1.1"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.1"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.1.1"
]
}
],
"aliases": [
"CVE-2026-45009"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T20:37:42Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA review of `phpMyFAQ-main` uncovered an authorization issue in the `admin-api` routes.\n\nSeveral backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access API endpoints that are clearly intended for administrative use.\n\nDuring local reproduction, a regular user account was able to request `/admin/api/index.php/dashboard/versions` and receive a successful response from the backend management API.\n\nThis issue does not appear to give direct write access in the affected paths that were confirmed, so it should be treated as a backend information disclosure and privilege boundary failure rather than full admin compromise.\n\n### Details\n\nThe access control split is visible in the controller base class:\n\n```php\npublic function userIsAuthenticated(): void\n{\n if (!$this-\u003ecurrentUser-\u003eisLoggedIn()) {\n throw new UnauthorizedHttpException(\u0027Unauthorized access.\u0027);\n }\n}\n\nprotected function userHasPermission(PermissionType $permissionType): void\n{\n // permission-based check\n}\n```\n\nThe problem is that several `Administration\\Api` controllers use the weaker check even though the routes sit under the backend API namespace.\n\nFor example, `phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/DashboardController.php` exposes:\n\n```php\n#[Route(path: \u0027dashboard/versions\u0027, name: \u0027admin.api.dashboard.versions\u0027, methods: [\u0027GET\u0027])]\npublic function versions(): JsonResponse\n{\n $this-\u003euserIsAuthenticated();\n ...\n}\n```\n\nThe same pattern appears in other backend-facing controllers, including:\n\n- `LdapController`\n- `ElasticsearchController`\n- `OpenSearchController`\n- `UpdateController`\n\nThat matters because these endpoints are not part of the normal frontend feature set. They expose backend operational data such as version checks, upgrade state, LDAP configuration, health checks, and search backend status.\n\nThree examples that stand out from an impact perspective are:\n\n1. `GET /admin/api/index.php/ldap/configuration`\n\n This can expose LDAP server configuration, mapping settings, group settings, and general authentication-related options. Even with secrets masked, this is still useful internal infrastructure information.\n\n2. `GET /admin/api/index.php/elasticsearch/statistics`\n\n If Elasticsearch is enabled, this can expose index names and search backend statistics that should normally stay in the admin area.\n\n3. `GET /admin/api/index.php/health-check`\n\n This is part of the update and maintenance workflow and can reveal operational state that ordinary users should not be able to inspect.\n\nIn other words, the issue is not that guests can reach the backend. The issue is that any ordinary authenticated user can cross the frontend/backend privilege boundary.\n\n### PoC\n\nI reproduced this against a local Docker deployment of the project.\n\nFirst, an unauthenticated request to the backend API is rejected:\n\n```http\nGET /admin/api/index.php/dashboard/versions HTTP/1.1\nHost: 127.0.0.1\nAccept: application/json\n```\n\nResponse:\n\n```http\nHTTP/1.0 401 Unauthorized\nContent-Type: application/problem+json\n\n{\n \"type\": \"http://127.0.0.1/problems/unauthorized\",\n \"title\": \"Unauthorized\",\n \"status\": 401,\n \"detail\": \"Unauthorized access.\",\n \"instance\": \"/dashboard/versions\"\n}\n```\n\nLogged in with a normal frontend account:\n\n- username: `user1`\n- password: `User12345!`\n\nAfter login, the same request was sent with the user session cookie:\n\n```http\nGET /admin/api/index.php/dashboard/versions HTTP/1.1\nHost: 127.0.0.1\nCookie: PHPSESSID=\u003cregular-user-session\u003e\nAccept: application/json\n```\n\nResponse:\n\n```http\nHTTP/1.0 200 OK\nContent-Type: application/json\n\n{\"success\":\"Latest version available: phpMyFAQ 4.1.1\"}\n```\n\nThat is enough to show that a non-admin account can call at least one backend management endpoint successfully.\n\n### Impact\n\nThe main impact is unauthorized access to backend-only operational information.\n\nDepending on which optional features are enabled in a real deployment, this may let a normal user learn:\n\n- upgrade and version status\n- maintenance or health-check information\n- LDAP environment details\n- Elasticsearch or OpenSearch backend status and statistics\n- internal administrative diagnostics\n\nThis was rated as **Medium** severity.\n\nIt was not categorized as **High** severity because the testing done did not confirm a direct administrative state change through the affected read-oriented endpoints. Still, this is a real privilege separation failure. A frontend account should not be able to query backend admin APIs simply because it has a valid session.\n\n### Remediation\n\nThe suggested approach should fix this in two layers.\n\n1. Replace `userIsAuthenticated()` with explicit permission checks on backend endpoints that are intended for administrators only.\n2. Review all `Administration\\Api` controllers for similar cases and make the access model consistent.\n3. Keep backend operational endpoints separated from ordinary user sessions unless there is a strong business reason to expose them.\n4. Add regression tests that log in as a low-privileged user and verify that backend routes return `403` or `401` where appropriate.",
"id": "GHSA-jrc5-w569-h7h5",
"modified": "2026-06-09T00:01:48Z",
"published": "2026-05-06T20:37:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jrc5-w569-h7h5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45009"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/phpmyfaq-insufficient-authorization-check-in-admin-api-endpoints"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ"
}
GHSA-JRRV-JM33-8JRV
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data
{
"affected": [],
"aliases": [
"CVE-2021-22244"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data",
"id": "GHSA-jrrv-jm33-8jrv",
"modified": "2022-05-24T19:12:10Z",
"published": "2022-05-24T19:12:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22244"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1047140"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22244.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/299039"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JRX5-RPF5-27W3
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account.
{
"affected": [],
"aliases": [
"CVE-2019-20864"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-19T15:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person\u0027s GitHub account.",
"id": "GHSA-jrx5-rpf5-27w3",
"modified": "2022-05-24T17:21:12Z",
"published": "2022-05-24T17:21:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20864"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.