CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5555 vulnerabilities reference this CWE, most recent first.
GHSA-RFR3-PCVJ-6F74
Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31Vulnerability in the Oracle Database component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 23.4-23.8. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Oracle Database. Successful attacks of this vulnerability can result in takeover of Oracle Database. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2025-30751"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T20:15:29Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Database component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 23.4-23.8. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Oracle Database. Successful attacks of this vulnerability can result in takeover of Oracle Database. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"id": "GHSA-rfr3-pcvj-6f74",
"modified": "2025-07-15T21:31:40Z",
"published": "2025-07-15T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30751"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFRW-V7JG-G724
Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-04-30 15:30A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations.
{
"affected": [],
"aliases": [
"CVE-2024-2378"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T13:15:47Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on af-fected installations.",
"id": "GHSA-rfrw-v7jg-g724",
"modified": "2024-04-30T15:30:37Z",
"published": "2024-04-30T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2378"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000191\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFVM-7WP6-HCHG
Vulnerability from github – Published: 2025-05-21 21:31 – Updated: 2025-05-21 21:31A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416.
In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced.
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
{
"affected": [],
"aliases": [
"CVE-2025-1415"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T12:16:20Z",
"severity": "MODERATE"
},
"details": "A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416.\n\nIn order to perform the attack, one has to know a task_id, but since it\u0027s a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced.\n\nThis issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).",
"id": "GHSA-rfvm-7wp6-hchg",
"modified": "2025-05-21T21:31:37Z",
"published": "2025-05-21T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1415"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"
},
{
"type": "WEB",
"url": "https://proget.pl/en/mobile-device-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RFX7-8W68-Q57Q
Vulnerability from github – Published: 2026-03-20 20:34 – Updated: 2026-03-27 20:48Impact
What kind of vulnerability is it? Who is impacted?
An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.
Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.
Patches
Has the problem been patched? What versions should users upgrade to?
This vulnerability is patched in the following versions:
- etcd 3.6.9
- etcd 3.5.28
- etcd 3.4.42
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.
- restrict network access to etcd server ports so only trusted components can connect
- require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution
Reporters
Our community helps keep etcd secure
SIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.8"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0-alpha.0"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.27"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0-alpha.0"
},
{
"fixed": "3.5.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.41"
},
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33343"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:34:44Z",
"nvd_published_at": "2026-03-26T14:16:13Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAn authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. \n \nKubernetes does not rely on etcd\u2019s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThis vulnerability is patched in the following versions:\n\n* etcd 3.6.9\n* etcd 3.5.28\n* etcd 3.4.42\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nIf upgrading is not immediately possible, reduce exposure by treating the affected\nRPCs as unauthenticated in practice.\n\n* restrict network access to etcd server ports so only trusted components can connect\n* require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate\ndistribution\n\n### Reporters\n_Our community helps keep etcd secure_\n\nSIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.",
"id": "GHSA-rfx7-8w68-q57q",
"modified": "2026-03-27T20:48:19Z",
"published": "2026-03-20T20:34:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33343"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "etcd: Nested etcd transactions bypass RBAC authorization checks"
}
GHSA-RG27-87X2-99GW
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-15 00:00An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.
{
"affected": [],
"aliases": [
"CVE-2021-25412"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.",
"id": "GHSA-rg27-87x2-99gw",
"modified": "2022-07-15T00:00:18Z",
"published": "2022-05-24T19:05:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25412"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG2H-CMXH-J3QW
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 15:31The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.
{
"affected": [],
"aliases": [
"CVE-2025-14866"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T13:15:47Z",
"severity": "HIGH"
},
"details": "The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the \u0027save_secondary_roles_field\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator.",
"id": "GHSA-rg2h-cmxh-j3qw",
"modified": "2026-01-23T15:31:34Z",
"published": "2026-01-23T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14866"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3439348"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG3M-CFQ7-G6H6
Vulnerability from github – Published: 2026-05-26 23:44 – Updated: 2026-05-26 23:44Summary
An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplied code instead of the stored script's code. An unauthenticated attacker who knows a valid script ID and name may execute arbitrary code via test mode if at least one server-side script exists and is accessible without restrictive permissions.
Script IDs and names can be obtained through the unauthenticated information disclosure in GET /api/project (reported separately).
The only prerequisite is that at least one server-side script exists in the project.
Details
Authorization confused deputy in script execution
File: server/runtime/scripts/index.js, lines 86-103
The authorization check looks up the stored script by ID and validates the stored script's permission field:
this.isAuthorised = function (_script, permission) {
const st = scriptModule.getScript(_script); // finds stored script by _script.id
if (admin || (st && (!st.permission || st.permission & permission))) {
return true;
}
return false;
}
When a script has no permission field set (or permission: 0), the expression !st.permission evaluates to true, and the check passes for any caller including guests.
Guest auto-authentication in the middleware
File: server/api/jwt-helper.js, lines 46-72
The verifyToken middleware generates a valid guest JWT when no token is provided:
if (!token) {
token = getGuestToken();
}
The guest token passes verification. The request proceeds to the handler with userId: "guest". The isAuthorised check then finds the stored script and validates against its permission. Scripts without a permission field pass for any user including guests.
Test mode executes attacker-supplied code
File: server/runtime/scripts/msm.js
When test: true is set, runTestScript takes the attacker's code field from the request body, compiles it into a Node.js module via Module._compile, and executes it with full access to require, child_process, fs, and the entire Node.js runtime. The authorization checked the stored script's permission. The execution runs the attacker's code.
PoC
Requires an existing server-side script accessible without restrictive permissions.
Step 1: Retrieve script IDs from the unauthenticated project endpoint
curl -s http://192.168.32.129:1881/api/project | jq '.scripts[] | {id, name, permission}'
{
"id": "legit-001",
"name": "calculate",
}
{
"id": "s_42a888fa-8e3d4213",
"name": "subs",
}
Step 2: Execute whoami without authentication
Using the script ID and name from step 1:
curl -s -X POST http://192.168.32.129:1881/api/runscript \
-H "Content-Type: application/json" \
-d '{"params":{"script":{"id":"s_42a888fa-8e3d4213","name":"subs","test":true,"code":"return require(\"child_process\").execSync(\"whoami\").toString()","parameters":[],"sync":true}}}'
Impact
Any network-reachable attacker can achieve Remote Code Execution on the FUXA server without any credentials. The attacker needs a valid script ID and name (obtainable through the separately reported information disclosure) and one server-side script to exist in the project.
Potential impact includes arbitrary command execution on the host, access to configured device connections and credentials, and compromise of industrial control functionality managed by the FUXA instance.
This issue depends on the presence of an existing server-side script with no restrictive permissions configured. It does not affect configurations without server-side scripts or where script permissions prevent guest access.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fuxa-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0"
]
}
],
"aliases": [
"CVE-2026-43947"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-26T23:44:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nAn unauthenticated Remote Code Execution vulnerability exists in FUXA when `secureEnabled` is set to `true`. The `POST /api/runscript` endpoint checks authorization against the stored script\u0027s permission by ID, but when `test: true` is set in the request, it compiles and executes attacker-supplied code instead of the stored script\u0027s code. An unauthenticated attacker who knows a valid script ID and name may execute arbitrary code via test mode if at least one server-side script exists and is accessible without restrictive permissions.\n\nScript IDs and names can be obtained through the unauthenticated information disclosure in `GET /api/project` (reported separately).\n\nThe only prerequisite is that at least one server-side script exists in the project.\n\n### Details\n\n**Authorization confused deputy in script execution**\n\nFile: `server/runtime/scripts/index.js`, lines 86-103\n\nThe authorization check looks up the stored script by ID and validates the stored script\u0027s `permission` field:\n\n```javascript\nthis.isAuthorised = function (_script, permission) {\n const st = scriptModule.getScript(_script); // finds stored script by _script.id\n if (admin || (st \u0026\u0026 (!st.permission || st.permission \u0026 permission))) {\n return true;\n }\n return false;\n}\n```\n\nWhen a script has no `permission` field set (or `permission: 0`), the expression `!st.permission` evaluates to `true`, and the check passes for any caller including guests.\n\n**Guest auto-authentication in the middleware**\n\nFile: `server/api/jwt-helper.js`, lines 46-72\n\nThe `verifyToken` middleware generates a valid guest JWT when no token is provided:\n\n```javascript\nif (!token) {\n token = getGuestToken();\n}\n```\n\nThe guest token passes verification. The request proceeds to the handler with `userId: \"guest\"`. The `isAuthorised` check then finds the stored script and validates against its permission. Scripts without a `permission` field pass for any user including guests.\n\n**Test mode executes attacker-supplied code**\n\nFile: `server/runtime/scripts/msm.js`\n\nWhen `test: true` is set, `runTestScript` takes the attacker\u0027s `code` field from the request body, compiles it into a Node.js module via `Module._compile`, and executes it with full access to `require`, `child_process`, `fs`, and the entire Node.js runtime. The authorization checked the stored script\u0027s permission. The execution runs the attacker\u0027s code.\n\n### PoC\n\nRequires an existing server-side script accessible without restrictive permissions.\n\n**Step 1: Retrieve script IDs from the unauthenticated project endpoint**\n\n```bash\ncurl -s http://192.168.32.129:1881/api/project | jq \u0027.scripts[] | {id, name, permission}\u0027\n```\n\n```json\n{\n \"id\": \"legit-001\",\n \"name\": \"calculate\",\n}\n{\n \"id\": \"s_42a888fa-8e3d4213\",\n \"name\": \"subs\",\n}\n```\n\n**Step 2: Execute `whoami` without authentication**\n\nUsing the script ID and name from step 1:\n\n```bash\ncurl -s -X POST http://192.168.32.129:1881/api/runscript \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"params\":{\"script\":{\"id\":\"s_42a888fa-8e3d4213\",\"name\":\"subs\",\"test\":true,\"code\":\"return require(\\\"child_process\\\").execSync(\\\"whoami\\\").toString()\",\"parameters\":[],\"sync\":true}}}\u0027\n```\n\n\n### Impact\n\nAny network-reachable attacker can achieve Remote Code Execution on the FUXA server without any credentials. The attacker needs a valid script ID and name (obtainable through the separately reported information disclosure) and one server-side script to exist in the project.\n\nPotential impact includes arbitrary command execution on the host, access to configured device connections and credentials, and compromise of industrial control functionality managed by the FUXA instance.\n\nThis issue depends on the presence of an existing server-side script with no restrictive permissions configured. It does not affect configurations without server-side scripts or where script permissions prevent guest access.",
"id": "GHSA-rg3m-cfq7-g6h6",
"modified": "2026-05-26T23:44:52Z",
"published": "2026-05-26T23:44:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-rg3m-cfq7-g6h6"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/pull/2260"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass"
}
GHSA-RG52-XRWC-XM79
Vulnerability from github – Published: 2023-07-13 15:30 – Updated: 2024-04-04 06:07Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator's role.
{
"affected": [],
"aliases": [
"CVE-2023-31704"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T15:15:08Z",
"severity": "CRITICAL"
},
"details": "Sourcecodester Online Computer and Laptop Store 1.0 is vulnerable to Incorrect Access Control, which allows remote attackers to elevate privileges to the administrator\u0027s role.",
"id": "GHSA-rg52-xrwc-xm79",
"modified": "2024-04-04T06:07:21Z",
"published": "2023-07-13T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31704"
},
{
"type": "WEB",
"url": "https://github.com/d34dun1c02n/CVE-2023-31704"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG57-W2FR-7HGM
Vulnerability from github – Published: 2024-07-17 00:32 – Updated: 2024-07-17 00:32Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21149"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T23:15:16Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Work Definition Issues). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Asset Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-rg57-w2fr-7hgm",
"modified": "2024-07-17T00:32:55Z",
"published": "2024-07-17T00:32:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21149"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RG65-7HJC-5CW2
Vulnerability from github – Published: 2024-10-25 18:30 – Updated: 2024-10-29 21:30OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.
{
"affected": [],
"aliases": [
"CVE-2022-30358"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T17:15:03Z",
"severity": "HIGH"
},
"details": "OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required.",
"id": "GHSA-rg65-7hjc-5cw2",
"modified": "2024-10-29T21:30:48Z",
"published": "2024-10-25T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30358"
},
{
"type": "WEB",
"url": "https://cve.offsecguy.com/ovaledge/vulnerabilities/account-takeover#cve-2022-30358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.