Common Weakness Enumeration

CWE-1390

Allowed-with-Review

Weak Authentication

Abstraction: Class · Status: Incomplete

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

155 vulnerabilities reference this CWE, most recent first.

GHSA-JM7R-G967-8PCH

Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-01-28 09:30
VLAI
Details

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T08:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.",
  "id": "GHSA-jm7r-g967-8pch",
  "modified": "2026-01-28T09:30:31Z",
  "published": "2026-01-28T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40554"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPF4-6GR7-RH8Q

Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-02-26 21:31
VLAI
Details

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T08:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.",
  "id": "GHSA-jpf4-6gr7-rh8q",
  "modified": "2026-02-26T21:31:27Z",
  "published": "2026-01-28T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40552"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553/blob/main/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQFH-6JJG-67XG

Vulnerability from github – Published: 2025-07-08 15:32 – Updated: 2025-07-22 18:30
VLAI
Details

Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T15:15:34Z",
    "severity": "HIGH"
  },
  "details": "Weak authentication in EOL\u00a0ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.\n\nNOTE: This CVE affects only End Of Life (EOL)\u00a0software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.",
  "id": "GHSA-jqfh-6jjg-67xg",
  "modified": "2025-07-22T18:30:36Z",
  "published": "2025-07-08T15:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7326"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-24070"
    },
    {
      "type": "WEB",
      "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-24070"
    },
    {
      "type": "WEB",
      "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-7326"
    },
    {
      "type": "WEB",
      "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-7326?nes-for-.net"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV5C-8JGX-C489

Vulnerability from github – Published: 2024-09-10 21:31 – Updated: 2024-09-10 21:31
VLAI
Details

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T21:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.",
  "id": "GHSA-jv5c-8jgx-c489",
  "modified": "2024-09-10T21:31:40Z",
  "published": "2024-09-10T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8322"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCFQ-F994-8HQG

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 21:31
VLAI
Details

A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T13:15:56Z",
    "severity": "LOW"
  },
  "details": "A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.5166 and later",
  "id": "GHSA-mcfq-f994-8hqg",
  "modified": "2026-02-12T21:31:25Z",
  "published": "2026-02-11T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57713"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-26-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P2RJ-QGFH-H8M9

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

Active Directory Certificate Services Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T18:15:41Z",
    "severity": "HIGH"
  },
  "details": "Active Directory Certificate Services Elevation of Privilege Vulnerability",
  "id": "GHSA-p2rj-qgfh-h8m9",
  "modified": "2024-11-12T18:30:59Z",
  "published": "2024-11-12T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49019"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P89H-P4PH-4VJ6

Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-16 14:49
VLAI
Summary
Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials
Details

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:wso2id-oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390",
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-16T14:49:27Z",
    "nvd_published_at": "2025-05-14T21:15:59Z",
    "severity": "HIGH"
  },
  "details": "In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the \"WSO2 Oauth\" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.",
  "id": "GHSA-p89h-p4ph-4vj6",
  "modified": "2025-05-16T14:49:27Z",
  "published": "2025-05-14T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47889"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials"
}

GHSA-PWH8-58VV-VW48

Vulnerability from github – Published: 2023-09-15 13:36 – Updated: 2024-09-10 17:15
VLAI
Summary
Jetty's OpenId Revoked authentication allows one request
Details

If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.

So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService.

Impact

This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users.

Original Report

working on a custom OpenIdAuthenticator, I discovered the following:

https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505

In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to "return authentication" on line 505.

This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.

I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).

Technically I think this is a security vulnerability, if a very minor one, so I'm sending this off-list.

Patched Versions

Fixed in Jetty Versions: * 9.4.52 - fixed in PR https://github.com/eclipse/jetty.project/pull/9660 * 10.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528 * 11.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528 * 12.0.0 - not impacted (already has fix)

Workaround

Upgrade your version of Jetty.

References

  • https://github.com/eclipse/jetty.project/pull/9528
  • https://github.com/eclipse/jetty.project/pull/9660
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.51"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.21"
            },
            {
              "fixed": "9.4.52.v20230823"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-openid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390",
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-15T13:36:10Z",
    "nvd_published_at": "2023-09-15T21:15:11Z",
    "severity": "LOW"
  },
  "details": "If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. \n\nSo a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`.\n\n### Impact\nThis impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users.\n\n### Original Report\n\u003e working on a custom OpenIdAuthenticator, I discovered the following:\n\u003e \n\u003e https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505\n\u003e \n\u003e In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to \"return authentication\" on line 505.\n\u003e \n\u003e This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.\n\u003e \n\u003e I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).\n\u003e \n\u003e Technically I think this is a security vulnerability, if a very minor one, so I\u0027m sending this off-list.\n\n### Patched Versions\n\nFixed in Jetty Versions:\n* 9.4.52 - fixed in PR https://github.com/eclipse/jetty.project/pull/9660\n* 10.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528\n* 11.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528\n* 12.0.0 - not impacted (already has fix)\n\n### Workaround\nUpgrade your version of Jetty.\n\n### References\n* https://github.com/eclipse/jetty.project/pull/9528\n* https://github.com/eclipse/jetty.project/pull/9660",
  "id": "GHSA-pwh8-58vv-vw48",
  "modified": "2024-09-10T17:15:25Z",
  "published": "2023-09-15T13:36:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/pull/9528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/pull/9660"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231110-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5507"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jetty\u0027s OpenId Revoked authentication allows one request"
}

GHSA-PWJV-G8J5-52FJ

Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 18:31
VLAI
Details

The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T08:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.",
  "id": "GHSA-pwjv-g8j5-52fj",
  "modified": "2025-11-12T18:31:24Z",
  "published": "2025-11-12T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12871"
    },
    {
      "type": "WEB",
      "url": "https://www.chtsecurity.com/news/b97e8337-6b0c-43e8-8e8c-187b7c0e13c2"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PXQC-MXCR-VH66

Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1390"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T23:15:29Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.",
  "id": "GHSA-pxqc-mxcr-vh66",
  "modified": "2025-11-03T21:34:28Z",
  "published": "2025-09-16T00:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30468"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125108"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Sep/49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.