CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CVE-2025-47930 (GCVE-0-2025-47930)
Vulnerability from cvelistv5 – Published: 2025-05-15 23:17 – Updated: 2025-05-16 13:19
VLAI
Title
Zulip Server has access control bypass for restrictions on creation of specific channel types
Summary
Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique works for creating private channels without permission, though such a process requires either the API or modifying the HTML, as we do mark the "private" radio button as disabled in such cases. Version 10.3 contains a patch.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/zulip/zulip/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/zulip/zulip/commit/d2ff4bda4c3… | x_refsource_MISC |
| https://zulip.com/help/configure-who-can-create-c… | x_refsource_MISC |
| https://zulip.readthedocs.io/en/latest/overview/c… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:19:39.957985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:19:46.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zulip",
"vendor": "zulip",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0, \u003c 10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the \"Who can create public channels\" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A similar technique works for creating private channels without permission, though such a process requires either the API or modifying the HTML, as we do mark the \"private\" radio button as disabled in such cases. Version 10.3 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T23:17:29.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zulip/zulip/security/advisories/GHSA-rqg7-xfqg-v7q5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zulip/zulip/security/advisories/GHSA-rqg7-xfqg-v7q5"
},
{
"name": "https://github.com/zulip/zulip/commit/d2ff4bda4c3efa30fc3ab1f151255cfdbf370f78",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zulip/zulip/commit/d2ff4bda4c3efa30fc3ab1f151255cfdbf370f78"
},
{
"name": "https://zulip.com/help/configure-who-can-create-channels",
"tags": [
"x_refsource_MISC"
],
"url": "https://zulip.com/help/configure-who-can-create-channels"
},
{
"name": "https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-10-3",
"tags": [
"x_refsource_MISC"
],
"url": "https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-10-3"
}
],
"source": {
"advisory": "GHSA-rqg7-xfqg-v7q5",
"discovery": "UNKNOWN"
},
"title": "Zulip Server has access control bypass for restrictions on creation of specific channel types"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47930",
"datePublished": "2025-05-15T23:17:29.829Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-16T13:19:46.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47937 (GCVE-0-2025-47937)
Vulnerability from cvelistv5 – Published: 2025-05-20 13:47 – Updated: 2025-05-20 14:23
VLAI
Title
TYPO3 Vulnerable to Information Disclosure via DBAL Restriction Handling
Summary
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/TYPO3/typo3/security/advisorie… | x_refsource_CONFIRM |
| https://typo3.org/security/advisory/typo3-core-sa… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T13:57:34.105162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T14:23:17.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "typo3",
"vendor": "TYPO3",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.5.51"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.4.50"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.5.44"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.4.31"
},
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.4.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T13:59:02.082Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x"
},
{
"name": "https://typo3.org/security/advisory/typo3-core-sa-2025-011",
"tags": [
"x_refsource_MISC"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2025-011"
}
],
"source": {
"advisory": "GHSA-x8pv-fgxp-8v3x",
"discovery": "UNKNOWN"
},
"title": "TYPO3 Vulnerable to Information Disclosure via DBAL Restriction Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47937",
"datePublished": "2025-05-20T13:47:48.595Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-20T14:23:17.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48042 (GCVE-0-2025-48042)
Vulnerability from cvelistv5 – Published: 2025-09-07 16:01 – Updated: 2026-05-27 15:40
VLAI
Title
Before action hooks may execute in certain scenarios despite a request being forbidden
Summary
Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6.
This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ash-project/ash/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2025-48042.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2025-48042 | related |
| https://github.com/ash-project/ash/commit/5d1b6a5… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ash-project | ash |
Affected:
0 , < 3.5.39
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|
| ash-project | ash |
Affected:
0 , < 5d1b6a5d00771fd468a509778637527b5218be9a
(git)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T18:54:54.599381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T18:55:11.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/actions/create/bulk.ex",
"lib/ash/actions/destroy/bulk.ex",
"lib/ash/actions/update/bulk.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
},
{
"name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
},
{
"name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.5.39",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/actions/create/bulk.ex",
"lib/ash/actions/destroy/bulk.ex",
"lib/ash/actions/update/bulk.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
},
{
"name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
},
{
"name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "5d1b6a5d00771fd468a509778637527b5218be9a",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.5.39",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Zach Daniel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/actions/create/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/destroy/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/update/bulk.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines \u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5, \u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6, \u0027Elixir.Ash.Actions.Update.Bulk:run\u0027/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:15.857Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48042.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Before action hooks may execute in certain scenarios despite a request being forbidden",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48042",
"datePublished": "2025-09-07T16:01:01.470Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-05-27T15:40:15.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48043 (GCVE-0-2025-48043)
Vulnerability from cvelistv5 – Published: 2025-10-10 15:57 – Updated: 2026-05-27 15:40
VLAI
Title
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
Summary
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.
This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ash-project/ash/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2025-48043.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2025-48043 | related |
| https://github.com/ash-project/ash/commit/66d8130… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ash-project | ash |
Affected:
0 , < 3.6.2
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|
| ash-project | ash |
Affected:
0 , < 66d81300065b970da0d2f4528354835d2418c7ae
(git)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T16:33:21.270063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T16:45:42.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/authorizer/authorizer.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/authorizer/authorizer.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "66d81300065b970da0d2f4528354835d2418c7ae",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "remediation reviewer",
"value": "Zach Daniel"
},
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/authorizer/authorizer.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines \u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:17.241Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48043.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48043",
"datePublished": "2025-10-10T15:57:29.225Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-05-27T15:40:17.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48044 (GCVE-0-2025-48044)
Vulnerability from cvelistv5 – Published: 2025-10-17 13:52 – Updated: 2026-05-27 15:40
VLAI
Title
Authorization bypass when bypass policy condition evaluates to true
Summary
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2.
This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ash-project/ash/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2025-48044.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2025-48044 | related |
| https://github.com/ash-project/ash/commit/8b83efa… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ash-project | ash |
Affected:
3.6.3 , < 3.7.1
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|
| ash-project | ash |
Affected:
79749c2685ea031ebb2de8cf60cc5edced6a8dd0 , < 8b83efa225f657bfc3656ad8ee8485f9b2de923d
(git)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:42:50.579615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:59:25.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/policy.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.7.1",
"status": "affected",
"version": "3.6.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/policy/policy.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d",
"status": "affected",
"version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.7.1",
"versionStartIncluding": "3.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jechol Lee"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jechol Lee"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Zach Daniel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/policy.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Policy\u0027:expression/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines \u0027Elixir.Ash.Policy.Policy\u0027:expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:21.571Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2025-48044.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization bypass when bypass policy condition evaluates to true",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2025-48044",
"datePublished": "2025-10-17T13:52:53.644Z",
"dateReserved": "2025-05-15T08:40:25.455Z",
"dateUpdated": "2026-05-27T15:40:21.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48373 (GCVE-0-2025-48373)
Vulnerability from cvelistv5 – Published: 2025-05-22 20:39 – Updated: 2025-05-27 20:28
VLAI
Title
Schule Has Client-Side Role-Based Access Control (RBAC) Bypass Vulnerability
Summary
Schule is open-source school management system software. The application relies on client-side JavaScript (index.js) to redirect users to different panels based on their role. Prior to version 1.0.1, this implementation poses a serious security risk because it assumes that the value of data.role is trustworthy on the client side. Attackers can manipulate JavaScript in the browser (e.g., via browser dev tools or intercepting API responses) and set data.role to any arbitrary value (e.g., "admin"), gaining unauthorized access to restricted areas of the application.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/schule111/Schule/security/advi… | x_refsource_CONFIRM |
| https://github.com/schule111/Schule/commit/cbf7f5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:34:42.968739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T20:28:17.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Schule",
"vendor": "schule111",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Schule is open-source school management system software. The application relies on client-side JavaScript (index.js) to redirect users to different panels based on their role. Prior to version 1.0.1, this implementation poses a serious security risk because it assumes that the value of data.role is trustworthy on the client side. Attackers can manipulate JavaScript in the browser (e.g., via browser dev tools or intercepting API responses) and set data.role to any arbitrary value (e.g., \"admin\"), gaining unauthorized access to restricted areas of the application."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T20:39:35.548Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/schule111/Schule/security/advisories/GHSA-37h9-qq7c-6mc9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/schule111/Schule/security/advisories/GHSA-37h9-qq7c-6mc9"
},
{
"name": "https://github.com/schule111/Schule/commit/cbf7f509c37acd69b4ab8ee19d842de867b46b7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/schule111/Schule/commit/cbf7f509c37acd69b4ab8ee19d842de867b46b7e"
}
],
"source": {
"advisory": "GHSA-37h9-qq7c-6mc9",
"discovery": "UNKNOWN"
},
"title": "Schule Has Client-Side Role-Based Access Control (RBAC) Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48373",
"datePublished": "2025-05-22T20:39:35.548Z",
"dateReserved": "2025-05-19T15:46:00.395Z",
"dateUpdated": "2025-05-27T20:28:17.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48445 (GCVE-0-2025-48445)
Vulnerability from cvelistv5 – Published: 2025-06-11 14:31 – Updated: 2025-06-11 15:38
VLAI
Title
Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066
Summary
Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse.This issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1.
Severity
8.8 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Commerce Eurobank (Redirect) |
Affected:
0.0.0 , < 2.1.1
(semver)
|
Date Public
2025-05-21 17:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T15:34:39.777239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T15:38:27.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_eurobank_redirect",
"defaultStatus": "unaffected",
"product": "Commerce Eurobank (Redirect)",
"repo": "https://git.drupalcode.org/project/commerce_eurobank_redirect",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marios Tsalkidis (silios)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bill Seremetis (bserem)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Panagiotis Moutsopoulos (vensires)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-21T17:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse.\u003cp\u003eThis issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse.This issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T14:31:03.526Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-066"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-48445",
"datePublished": "2025-06-11T14:31:03.526Z",
"dateReserved": "2025-05-21T16:25:07.435Z",
"dateUpdated": "2025-06-11T15:38:27.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48446 (GCVE-0-2025-48446)
Vulnerability from cvelistv5 – Published: 2025-06-11 14:34 – Updated: 2025-06-11 15:48
VLAI
Title
Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067
Summary
Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.
Severity
8.8 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Commerce Alphabank Redirect |
Affected:
0.0.0 , < 1.0.3
(semver)
|
Date Public
2025-05-21 17:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T15:47:34.403882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T15:48:21.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/commerce_alphabank_redirect",
"defaultStatus": "unaffected",
"product": "Commerce Alphabank Redirect",
"repo": "https://git.drupalcode.org/project/commerce_alphabank_redirect",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marios Tsalkidis (silios)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bill Seremetis (bserem)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Panagiotis Moutsopoulos (vensires)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-21T17:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.\u003cp\u003eThis issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T14:34:50.071Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-067"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-48446",
"datePublished": "2025-06-11T14:34:50.071Z",
"dateReserved": "2025-05-21T16:25:07.435Z",
"dateUpdated": "2025-06-11T15:48:21.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48472 (GCVE-0-2025-48472)
Vulnerability from cvelistv5 – Published: 2025-05-29 15:18 – Updated: 2025-05-29 15:36
VLAI
Title
FreeScout Vulnerable to Insufficient Authorization
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.179
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48472",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T15:35:58.060161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:36:15.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f62r-8354-8pqg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.179"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have access to the mailbox, then after disabling (enabling) notifications for this mailbox, the user will gain access to it. This issue has been patched in version 1.8.179."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:18:58.406Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f62r-8354-8pqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f62r-8354-8pqg"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/01c91d2086ddd56778698e557138a178b2f59916",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/01c91d2086ddd56778698e557138a178b2f59916"
}
],
"source": {
"advisory": "GHSA-f62r-8354-8pqg",
"discovery": "UNKNOWN"
},
"title": "FreeScout Vulnerable to Insufficient Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48472",
"datePublished": "2025-05-29T15:18:58.406Z",
"dateReserved": "2025-05-22T12:11:39.118Z",
"dateUpdated": "2025-05-29T15:36:15.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48473 (GCVE-0-2025-48473)
Vulnerability from cvelistv5 – Published: 2025-05-29 15:27 – Updated: 2025-05-29 15:43
VLAI
Title
FreeScout Vulnerable to Insufficient Authorization
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.179
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48473",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T15:42:28.993318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:43:38.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.179"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:27:52.137Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3x75-7856-r794",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3x75-7856-r794"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/2552a2b84248824b73c35b2699aa86da644eea1a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/2552a2b84248824b73c35b2699aa86da644eea1a"
}
],
"source": {
"advisory": "GHSA-3x75-7856-r794",
"discovery": "UNKNOWN"
},
"title": "FreeScout Vulnerable to Insufficient Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48473",
"datePublished": "2025-05-29T15:27:52.137Z",
"dateReserved": "2025-05-22T12:11:39.118Z",
"dateUpdated": "2025-05-29T15:43:38.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.