Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-XRQ9-JM7V-G9H7

Vulnerability from github – Published: 2026-04-25 23:49 – Updated: 2026-04-25 23:49
VLAI
Summary
OpenClaw: Paired-device pairing actions were not limited to the caller device
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.

This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.

Fix

Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.

Fix commit:

  • 5a12f30441d5b0b151f550daa2c5c9e8db61e2e6

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:49:00Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nA paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.\n\nThis is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.\n\n## Fix\n\nPairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.\n\nFix commit:\n\n- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-xrq9-jm7v-g9h7",
  "modified": "2026-04-25T23:49:00Z",
  "published": "2026-04-25T23:49:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Paired-device pairing actions were not limited to the caller device"
}

GHSA-XRRV-GJCC-H93V

Vulnerability from github – Published: 2022-12-01 15:30 – Updated: 2022-12-05 21:30
VLAI
Details

Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.",
  "id": "GHSA-xrrv-gjcc-h93v",
  "modified": "2022-12-05T21:30:42Z",
  "published": "2022-12-01T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37017"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRVG-VG5W-7CH7

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-20T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.",
  "id": "GHSA-xrvg-vg5w-7ch7",
  "modified": "2022-05-13T01:44:27Z",
  "published": "2022-05-13T01:44:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17668"
    },
    {
      "type": "WEB",
      "url": "https://www.ncr.com/sites/default/files/ncr_security_alert_-_2018-04_v3.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV24-HXH9-2HH9

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-07-02 18:50
VLAI
Summary
OpenStack Neutron has an Incorrect Authorization issue
Details

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "neutron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "28.0.0"
            },
            {
              "fixed": "28.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "neutron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "27.0.0"
            },
            {
              "fixed": "27.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "neutron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0.0"
            },
            {
              "fixed": "26.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T18:50:58Z",
    "nvd_published_at": "2026-05-28T22:17:02Z",
    "severity": "MODERATE"
  },
  "details": "In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.",
  "id": "GHSA-xv24-hxh9-2hh9",
  "modified": "2026-07-02T18:50:58Z",
  "published": "2026-05-29T00:38:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49299"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/bugs/2150132"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/neutron"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/neutron/+/989099"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/28/8"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/02/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Neutron has an Incorrect Authorization issue"
}

GHSA-XV46-HHWP-VF34

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-17T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: \u003e=13.4, \u003c13.4.5,\u003e=13.3, \u003c13.3.9,\u003e=13.5, \u003c13.5.2.",
  "id": "GHSA-xv46-hhwp-vf34",
  "modified": "2022-05-24T17:34:24Z",
  "published": "2022-05-24T17:34:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13358"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XV59-3GPF-C92H

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:14
VLAI
Details

There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-10T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2).",
  "id": "GHSA-xv59-3gpf-c92h",
  "modified": "2024-04-04T01:14:39Z",
  "published": "2022-05-24T16:50:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5220"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190626-01-frp-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV7J-WG82-2R7G

Vulnerability from github – Published: 2024-06-26 06:30 – Updated: 2024-10-29 00:31
VLAI
Details

The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-26T06:15:16Z",
    "severity": "MODERATE"
  },
  "details": "The Bookster  WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.",
  "id": "GHSA-xv7j-wg82-2r7g",
  "modified": "2024-10-29T00:31:14Z",
  "published": "2024-06-26T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5071"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/07b293cf-5174-45de-8606-a782a96a35b3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV97-C62V-4587

Vulnerability from github – Published: 2022-08-02 18:00 – Updated: 2022-08-11 22:13
VLAI
Summary
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
Details

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@")
  // The part before "@" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

  • EmailProvider: https://next-auth.js.org/providers/email
  • Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address
  • Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part
  • signIn callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback
  • Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
  • nodemailer address: https://nodemailer.com/message/addresses

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.29.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-35924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-02T18:00:33Z",
    "nvd_published_at": "2022-08-02T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n`next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected.\n\nIf an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim\u0027s e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address.\n\n### Patches\nWe patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)\n\nTo upgrade, run one of the following:\n```sh\nnpm i next-auth@latest\n```\n```sh\nyarn add next-auth@latest\n```\n```sh\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended. v3 is unmaintained.)\n\n### Workarounds\nIf for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:\n```ts\n// pages/api/auth/[...nextauth].ts\n\nfunction normalize(identifier) {\n  // Get the first two elements only,\n  // separated by `@` from user input.\n  let [local, domain] = identifier.toLowerCase().trim().split(\"@\")\n  // The part before \"@\" can contain a \",\"\n  // but we remove it on the domain part\n  domain = domain.split(\",\")[0]\n  return `${local}@${domain}`\n}\n\nexport default async function handler(req, res) {\n  if (req.body.email) req.body.email = normalize(req.body.email)\n  return await NextAuth(req, res, {/* your options */ })\n}\n```\n\n### References\n- EmailProvider: https://next-auth.js.org/providers/email\n- Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address\n- Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part\n- `signIn` callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback\n- Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization\n- `nodemailer` address: https://nodemailer.com/message/addresses\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.\n\n### Acknowledgments\n\nWe would like to thank [Socket](https://socket.dev) for disclosing this vulnerability in a responsible manner and following up until it got published.",
  "id": "GHSA-xv97-c62v-4587",
  "modified": "2022-08-11T22:13:10Z",
  "published": "2022-08-02T18:00:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nextauthjs/next-auth"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/providers/email"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/providers/email#normalizing-the-email-address"
    },
    {
      "type": "WEB",
      "url": "https://nodemailer.com/message/addresses"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails"
}

GHSA-XVC2-6386-99X8

Vulnerability from github – Published: 2023-11-20 21:31 – Updated: 2023-11-27 18:31
VLAI
Details

The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-20T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.",
  "id": "GHSA-xvc2-6386-99x8",
  "modified": "2023-11-27T18:31:12Z",
  "published": "2023-11-20T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5509"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVHP-XJ53-P6H7

Vulnerability from github – Published: 2024-06-06 18:30 – Updated: 2024-06-06 18:30
VLAI
Details

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T18:15:17Z",
    "severity": "HIGH"
  },
  "details": "An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.",
  "id": "GHSA-xvhp-xj53-p6h7",
  "modified": "2024-06-06T18:30:58Z",
  "published": "2024-06-06T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.