Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-QFXW-V8QX-VJ3V

Vulnerability from github – Published: 2026-05-11 15:18 – Updated: 2026-06-08 23:48
VLAI
Summary
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
Details

Summary

A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.

Impact

Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.

Fix

UE context lookups are now scoped to the sending radio's SCTP association.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ellanetworks/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T15:18:47Z",
    "nvd_published_at": "2026-05-27T17:16:39Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE\u0027s AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE\u0027s logical NG-connection, then creates a GTP tunnel towards that radio.\n\n## Impact\n\nDownlink user-plane traffic for the targeted UE is redirected to the attacker\u0027s radio.\n\n## Fix\n\nUE context lookups are now scoped to the sending radio\u0027s SCTP association.",
  "id": "GHSA-qfxw-v8qx-vj3v",
  "modified": "2026-06-08T23:48:51Z",
  "published": "2026-05-11T15:18:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-qfxw-v8qx-vj3v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44473"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ellanetworks/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse"
}

GHSA-QG4C-F5H3-4H6Q

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-22T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.",
  "id": "GHSA-qg4c-f5h3-4h6q",
  "modified": "2022-05-24T17:28:52Z",
  "published": "2022-05-24T17:28:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11855"
    },
    {
      "type": "WEB",
      "url": "https://softwaresupport.softwaregrp.com/doc/KM03710590"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1217"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QGP3-3RJ7-QQQ4

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:58
VLAI
Summary
Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:58:42Z",
    "nvd_published_at": "2026-04-23T22:16:41Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.",
  "id": "GHSA-qgp3-3rj7-qqq4",
  "modified": "2026-05-04T21:58:42Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist",
  "withdrawn": "2026-05-04T21:58:42Z"
}

GHSA-QGRQ-CX4C-2RMM

Vulnerability from github – Published: 2022-02-15 01:39 – Updated: 2022-06-24 01:24
VLAI
Summary
Incorrect Authorization in WildFly Elytron
Details

A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.wildfly.security:wildfly-elytron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T01:24:56Z",
    "nvd_published_at": "2020-09-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.",
  "id": "GHSA-qgrq-cx4c-2rmm",
  "modified": "2022-06-24T01:24:56Z",
  "published": "2022-02-15T01:39:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1748"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807707"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201001-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in WildFly Elytron"
}

GHSA-QGX9-6PX9-7P75

Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-05-04 21:04
VLAI
Summary
Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:04:44Z",
    "nvd_published_at": "2026-04-23T18:16:29Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.",
  "id": "GHSA-qgx9-6px9-7p75",
  "modified": "2026-05-04T21:04:44Z",
  "published": "2026-04-23T18:33:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization",
  "withdrawn": "2026-05-04T21:04:44Z"
}

GHSA-QH6Q-598W-W6M2

Vulnerability from github – Published: 2026-03-09 17:24 – Updated: 2026-03-10 18:43
VLAI
Summary
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Details

Summary

The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse.

Details

backend/internal/service/oidc_service.go:407

if authorizationCodeMetaData.ClientID != input.ClientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {
    return CreatedTokens{}, &common.OidcInvalidAuthorizationCodeError{}
}

&& should be ||. Current behavior:

Condition Expected Actual
Wrong client + valid code Reject Accept
Correct client + expired code Reject Accept

PoC

Prerequisite: pocket-id running with APP_ENV=test and BUILD_TAGS=e2etest. The test user (Tim Cook) must have authorized both Nextcloud and Immich OIDC clients (i.e., user_authorized_oidc_clients records exist for both). The seed data includes an authorization code auth-code issued for the Nextcloud client.

# 1. Seed test data
curl -X POST "http://localhost:1411/api/test/reset?skip-ldap=true"

# 2. Exchange Nextcloud's auth code using Immich's credentials
curl -X POST http://localhost:1411/api/oidc/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=auth-code" \
  -d "client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018" \
  -d "client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x" \
  -d "redirect_uri=http://immich/auth/callback"
# Expected: 400 (wrong client)
# Actual: 200 with tokens — access_token.aud = Immich client ID

Verified result: HTTP 200 with tokens. The access_token audience is 606c7782-... (Immich), despite the authorization code being issued for 3654a746-... (Nextcloud).

Impact

Any OIDC client operator can exchange authorization codes issued for other clients, obtaining tokens for users who never authorized that client. Expired authorization codes can also be reused with the correct client until the 24-hour cleanup job runs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pocket-id/pocket-id/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260307173642-b59e35cb59ae"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T17:24:49Z",
    "nvd_published_at": "2026-03-10T17:38:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe OIDC token endpoint rejects an authorization code only when **both** the client ID is wrong **and** the code is expired. This allows cross-client code exchange and expired code reuse.\n\n### Details\n\n`backend/internal/service/oidc_service.go:407`\n\n```go\nif authorizationCodeMetaData.ClientID != input.ClientID \u0026\u0026 authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {\n    return CreatedTokens{}, \u0026common.OidcInvalidAuthorizationCodeError{}\n}\n```\n\n`\u0026\u0026` should be `||`. Current behavior:\n\n| Condition | Expected | Actual |\n|-----------|----------|--------|\n| Wrong client + valid code | Reject | **Accept** |\n| Correct client + expired code | Reject | **Accept** |\n\n### PoC\n\n**Prerequisite:** pocket-id running with `APP_ENV=test` and `BUILD_TAGS=e2etest`. The test user (Tim Cook) must have authorized both Nextcloud and Immich OIDC clients (i.e., `user_authorized_oidc_clients` records exist for both). The seed data includes an authorization code `auth-code` issued for the Nextcloud client.\n\n```bash\n# 1. Seed test data\ncurl -X POST \"http://localhost:1411/api/test/reset?skip-ldap=true\"\n\n# 2. Exchange Nextcloud\u0027s auth code using Immich\u0027s credentials\ncurl -X POST http://localhost:1411/api/oidc/token \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"grant_type=authorization_code\" \\\n  -d \"code=auth-code\" \\\n  -d \"client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018\" \\\n  -d \"client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x\" \\\n  -d \"redirect_uri=http://immich/auth/callback\"\n# Expected: 400 (wrong client)\n# Actual: 200 with tokens \u2014 access_token.aud = Immich client ID\n```\n\n**Verified result:** HTTP 200 with tokens. The `access_token` audience is `606c7782-...` (Immich), despite the authorization code being issued for `3654a746-...` (Nextcloud).\n\n### Impact\n\nAny OIDC client operator can exchange authorization codes issued for other clients, obtaining tokens for users who never authorized that client. Expired authorization codes can also be reused with the correct client until the 24-hour cleanup job runs.",
  "id": "GHSA-qh6q-598w-w6m2",
  "modified": "2026-03-10T18:43:07Z",
  "published": "2026-03-09T17:24:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pocket-id/pocket-id"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange"
}

GHSA-QH7G-57WW-6FQ4

Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-24 18:30
VLAI
Details

A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-24T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Gateway. Sending a non-base64 \u0027basic\u0027 auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.",
  "id": "GHSA-qh7g-57ww-6fq4",
  "modified": "2024-10-24T18:30:44Z",
  "published": "2024-10-24T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10295"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-10295"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321258"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHFJ-5GCR-FPXQ

Vulnerability from github – Published: 2026-07-17 03:31 – Updated: 2026-07-17 03:31
VLAI
Details

OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute or persist actions beyond their intended authorization by leveraging misconfigured input paths in the affected cron feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-17T02:18:06Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute or persist actions beyond their intended authorization by leveraging misconfigured input paths in the affected cron feature.",
  "id": "GHSA-qhfj-5gcr-fpxq",
  "modified": "2026-07-17T03:31:20Z",
  "published": "2026-07-17T03:31:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mm9g-83wh-mhwj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62202"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-cron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QHHH-GXXV-PG3H

Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:37
VLAI
Details

The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T02:15:11Z",
    "severity": "HIGH"
  },
  "details": "The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.",
  "id": "GHSA-qhhh-gxxv-pg3h",
  "modified": "2024-04-04T04:37:29Z",
  "published": "2023-06-07T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36710"
    },
    {
      "type": "WEB",
      "url": "https://blog.nintechnet.com/wordpress-wps-hide-login-fixed-security-issue"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7808329f-1688-480c-a83c-c4ab2fa86da6?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHMH-X535-R77M

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users in Pleasant Password Server before 7.8.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users in Pleasant Password Server before 7.8.3.",
  "id": "GHSA-qhmh-x535-r77m",
  "modified": "2022-05-13T01:44:27Z",
  "published": "2022-05-13T01:44:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17708"
    },
    {
      "type": "WEB",
      "url": "https://www.profundis-labs.com/advisories/CVE-2017-17708.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.