CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-VMHF-WMJ5-JX54
Vulnerability from github – Published: 2025-04-17 12:30 – Updated: 2025-04-17 12:30The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
{
"affected": [],
"aliases": [
"CVE-2025-3453"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T12:15:15Z",
"severity": "MODERATE"
},
"details": "The Password Protected \u2013 Password Protect your WordPress Site, Pages, \u0026 WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the \u0027password_protected_cookie\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the \u0027Use Transient\u0027 setting is enabled.",
"id": "GHSA-vmhf-wmj5-jx54",
"modified": "2025-04-17T12:30:33Z",
"published": "2025-04-17T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3453"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/password-protected/trunk/includes/compatibility.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3274358"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d75ca-55e3-461a-9844-52e69904da1b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMHQ-CQM9-6P7Q
Vulnerability from github – Published: 2026-03-13 20:54 – Updated: 2026-03-13 20:54Summary
An authorization mismatch in the gateway let an authenticated caller with only operator.write use browser.request to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through /profiles/create.
Impact
A write-scoped operator could create or modify browser profiles and store attacker-chosen remote CDP endpoints without holding operator.admin.
Affected versions
openclaw <= 2026.3.8
Patch
Fixed in openclaw 2026.3.11 and included in later releases such as 2026.3.12. Browser profile creation now requires the correct admin boundary, and regression tests cover the write-vs-admin authorization split.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.8"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:54:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nAn authorization mismatch in the gateway let an authenticated caller with only `operator.write` use `browser.request` to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through `/profiles/create`.\n\n### Impact\n\nA write-scoped operator could create or modify browser profiles and store attacker-chosen remote CDP endpoints without holding `operator.admin`.\n\n### Affected versions\n\n`openclaw` `\u003c= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Browser profile creation now requires the correct admin boundary, and regression tests cover the write-vs-admin authorization split.",
"id": "GHSA-vmhq-cqm9-6p7q",
"modified": "2026-03-13T20:54:25Z",
"published": "2026-03-13T20:54:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes"
}
GHSA-VMJJ-QR7V-PXM6
Vulnerability from github – Published: 2026-04-16 00:47 – Updated: 2026-04-24 20:54Summary
In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses.
Details
In lib/Froxlor/Api/Commands/EmailSender.php at line 100, when a customer adds a full email address (not a @domain wildcard) as an allowed sender, the code splits on @ and takes index [0]:
// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
Response::standardError('emailiswrong', $allowed_sender, true);
}
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part
} else {
if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
}
self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain
}
For input admin@domain-b.com, explode("@", "admin@domain-b.com") returns ["admin", "domain-b.com"]. Index [0] is "admin" — the local part, not the domain.
The validateLocalDomainOwnership() function (lines 346-355) then queries panel_domains for a domain matching "admin":
private static function validateLocalDomainOwnership(string $domain): void
{
$sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
$domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
Response::standardError('senderdomainnotowned', $domain, true);
}
}
Since no domain named "admin" exists in panel_domains, $domain_result is false, and the function returns without error — the ownership check silently passes.
The inserted mail_sender_aliases row is then picked up by Postfix's sender_login_maps query (configured in mysql-virtual_sender_permissions.cf):
... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...
This query maps the allowed_sender back to the mail user, authorizing them to send as that address via SMTP.
PoC
# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)
# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.add",
"params": {
"emailaddr": "myaccount@domain-a.com",
"allowed_sender": "ceo@domain-b.com"
}
}'
# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
# receives "ceo" (local part) instead of "domain-b.com" (domain)
# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.listing",
"params": {"emailaddr": "myaccount@domain-a.com"}
}'
# Step 3: Customer A can now send email as ceo@domain-b.com via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.
The same attack works via the web UI by POST-ing to customer_email.php with action=add_sender and the target domain in allowed_domain.
Impact
Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
- Cross-customer email spoofing: Send emails impersonating users on other customers' domains, bypassing Postfix's
smtpd_sender_login_mapsrestriction that is specifically designed to prevent this. - Multi-tenant isolation breach: The domain ownership check (
validateLocalDomainOwnership) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses. - Phishing and reputation damage: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.
Note: The wildcard (@domain) code path at line 105 is not affected — it correctly passes the domain to validateLocalDomainOwnership().
Recommended Fix
Change index [0] to [1] on line 100 of lib/Froxlor/Api/Commands/EmailSender.php:
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "froxlor/froxlor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41232"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T00:47:05Z",
"nvd_published_at": "2026-04-23T05:16:05Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nIn `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent \"domains,\" allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix\u0027s `sender_login_maps` then authorizes the attacker to send emails as those addresses.\n\n## Details\n\nIn `lib/Froxlor/Api/Commands/EmailSender.php` at line 100, when a customer adds a full email address (not a `@domain` wildcard) as an allowed sender, the code splits on `@` and takes index `[0]`:\n\n```php\n// Line 96-106\nif (substr($allowed_sender, 0, 1) != \u0027@\u0027) {\n if (!Validate::validateEmail($idna_convert-\u003eencode($allowed_sender))) {\n Response::standardError(\u0027emailiswrong\u0027, $allowed_sender, true);\n }\n self::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[0] ?? \"\"); // BUG: [0] is the local part\n} else {\n if (!Validate::validateDomain($idna_convert-\u003eencode(substr($allowed_sender, 1)))) {\n Response::standardError(\u0027wildcardemailiswrong\u0027, substr($allowed_sender, 1), true);\n }\n self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain\n}\n```\n\nFor input `admin@domain-b.com`, `explode(\"@\", \"admin@domain-b.com\")` returns `[\"admin\", \"domain-b.com\"]`. Index `[0]` is `\"admin\"` \u2014 the local part, not the domain.\n\nThe `validateLocalDomainOwnership()` function (lines 346-355) then queries `panel_domains` for a domain matching `\"admin\"`:\n\n```php\nprivate static function validateLocalDomainOwnership(string $domain): void\n{\n $sel_stmt = Database::prepare(\"SELECT customerid FROM `\" . TABLE_PANEL_DOMAINS . \"` WHERE `domain` = :domain\");\n $domain_result = Database::pexecute_first($sel_stmt, [\u0027domain\u0027 =\u003e $domain]);\n if ($domain_result \u0026\u0026 $domain_result[\u0027customerid\u0027] != CurrentUser::getField(\u0027customerid\u0027)) {\n Response::standardError(\u0027senderdomainnotowned\u0027, $domain, true);\n }\n}\n```\n\nSince no domain named `\"admin\"` exists in `panel_domains`, `$domain_result` is false, and the function returns without error \u2014 the ownership check silently passes.\n\nThe inserted `mail_sender_aliases` row is then picked up by Postfix\u0027s `sender_login_maps` query (configured in `mysql-virtual_sender_permissions.cf`):\n\n```sql\n... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases\nWHERE mail_sender_aliases.allowed_sender = \u0027%s\u0027) ...\n```\n\nThis query maps the `allowed_sender` back to the mail user, authorizing them to send as that address via SMTP.\n\n## PoC\n\n```bash\n# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,\n# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)\n\n# Step 1: As Customer A, add a sender alias claiming Customer B\u0027s domain\n# Via API:\ncurl -X POST \u0027https://froxlor-host/api/v1/\u0027 \\\n -H \u0027Authorization: Basic \u003ccustomer-A-credentials\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"command\": \"EmailSender.add\",\n \"params\": {\n \"emailaddr\": \"myaccount@domain-a.com\",\n \"allowed_sender\": \"ceo@domain-b.com\"\n }\n }\u0027\n\n# Expected: Error \"senderdomainnotowned\" because domain-b.com belongs to Customer B\n# Actual: 200 OK \u2014 alias is created because validateLocalDomainOwnership\n# receives \"ceo\" (local part) instead of \"domain-b.com\" (domain)\n\n# Step 2: Verify the alias was inserted\ncurl -X POST \u0027https://froxlor-host/api/v1/\u0027 \\\n -H \u0027Authorization: Basic \u003ccustomer-A-credentials\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"command\": \"EmailSender.listing\",\n \"params\": {\"emailaddr\": \"myaccount@domain-a.com\"}\n }\u0027\n\n# Step 3: Customer A can now send email as ceo@domain-b.com via SMTP\n# because Postfix sender_login_maps will match the mail_sender_aliases entry\n# and authorize Customer A\u0027s mail account to use that sender address.\n```\n\nThe same attack works via the web UI by POST-ing to `customer_email.php` with `action=add_sender` and the target domain in `allowed_domain`.\n\n## Impact\n\nAny authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:\n\n- **Cross-customer email spoofing**: Send emails impersonating users on other customers\u0027 domains, bypassing Postfix\u0027s `smtpd_sender_login_maps` restriction that is specifically designed to prevent this.\n- **Multi-tenant isolation breach**: The domain ownership check (`validateLocalDomainOwnership`) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.\n- **Phishing and reputation damage**: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.\n\nNote: The wildcard (`@domain`) code path at line 105 is **not** affected \u2014 it correctly passes the domain to `validateLocalDomainOwnership()`.\n\n## Recommended Fix\n\nChange index `[0]` to `[1]` on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php`:\n\n```php\n// Before (line 100):\nself::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[0] ?? \"\");\n\n// After:\nself::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[1] ?? \"\");\n```\n\nThis ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.",
"id": "GHSA-vmjj-qr7v-pxm6",
"modified": "2026-04-24T20:54:28Z",
"published": "2026-04-16T00:47:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41232"
},
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a"
},
{
"type": "PACKAGE",
"url": "https://github.com/froxlor/froxlor"
},
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing"
}
GHSA-VMQR-HRFR-7527
Vulnerability from github – Published: 2025-06-03 09:32 – Updated: 2025-10-22 00:33Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
{
"affected": [],
"aliases": [
"CVE-2025-21479"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T07:15:20Z",
"severity": "HIGH"
},
"details": "Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
"id": "GHSA-vmqr-hrfr-7527",
"modified": "2025-10-22T00:33:19Z",
"published": "2025-06-03T09:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21479"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMR3-53WM-GFWF
Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).
{
"affected": [],
"aliases": [
"CVE-2020-10120"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-17T15:15:00Z",
"severity": "HIGH"
},
"details": "cPanel before 84.0.20 allows resellers to achieve remote code execution as root via a cpsrvd rsync shell (SEC-545).",
"id": "GHSA-vmr3-53wm-gfwf",
"modified": "2022-05-24T17:11:43Z",
"published": "2022-05-24T17:11:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10120"
},
{
"type": "WEB",
"url": "https://documentation.cpanel.net/display/CL/84+Change+Log"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VMVW-PWWF-CC2W
Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-24 19:06Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vjp8-wprm-2jw9. This link is maintained to preserve external references.
Original Description
OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:06:41Z",
"nvd_published_at": "2026-03-21T01:17:10Z",
"severity": "LOW"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-vjp8-wprm-2jw9. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.",
"id": "GHSA-vmvw-pwwf-cc2w",
"modified": "2026-03-24T19:06:41Z",
"published": "2026-03-21T03:31:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32067"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85baeb02"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass-in-dm-pairing-store"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access",
"withdrawn": "2026-03-24T19:06:41Z"
}
GHSA-VMW7-J325-RFFG
Vulnerability from github – Published: 2023-07-17 09:30 – Updated: 2024-04-04 06:09A hidden API exists in TapHome's core platform before version 2023.2 that allows an authenticated, low privileged user to change passwords of other users without any prior knowledge. The attacker may gain full access to the device by using this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-2759"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-17T07:15:08Z",
"severity": "HIGH"
},
"details": "A hidden API exists in TapHome\u0027s core platform before version 2023.2 that allows an authenticated, low privileged user to change passwords of other users without any prior knowledge. The attacker may gain full access to the device by using this vulnerability.",
"id": "GHSA-vmw7-j325-rffg",
"modified": "2024-04-04T06:09:29Z",
"published": "2023-07-17T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2759"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-2759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMWM-8RVF-246X
Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
{
"affected": [],
"aliases": [
"CVE-2026-28720"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T00:16:12Z",
"severity": "MODERATE"
},
"details": "Unauthorized modification of settings due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.",
"id": "GHSA-vmwm-8rvf-246x",
"modified": "2026-03-06T00:31:35Z",
"published": "2026-03-06T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28720"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-8379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VP3C-GMR6-8G2M
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2023-08-08 15:31Inappropriate implementation in Service Worker API in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0305"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-12T02:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Service Worker API in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.",
"id": "GHSA-vp3c-gmr6-8g2m",
"modified": "2023-08-08T15:31:43Z",
"published": "2022-02-15T00:02:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0305"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1282354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VP3R-HWQM-X826
Vulnerability from github – Published: 2026-06-28 03:33 – Updated: 2026-06-28 03:33RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.
{
"affected": [],
"aliases": [
"CVE-2026-58056"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-28T02:16:32Z",
"severity": "HIGH"
},
"details": "RustDesk gates incoming control messages on per-capability flags rather than on the session\u0027s authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.",
"id": "GHSA-vp3r-hwqm-x826",
"modified": "2026-06-28T03:33:40Z",
"published": "2026-06-28T03:33:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58056"
},
{
"type": "WEB",
"url": "https://github.com/bikini/exploitarium/tree/main/rustdesk-session-permission-pocs"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rustdesk-filetransfer-session-authorization-scope-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.