Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5966 vulnerabilities reference this CWE, most recent first.

GHSA-4RFM-63GF-WXJ6

Vulnerability from github – Published: 2026-04-19 21:31 – Updated: 2026-04-19 21:31
VLAI
Details

A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-19T20:16:28Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-4rfm-63gf-wxj6",
  "modified": "2026-04-19T21:31:28Z",
  "published": "2026-04-19T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-2-Unauthenticated-GPS-Data-Injection.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/790282"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358212"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358212/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4RFM-M8CV-G888

Vulnerability from github – Published: 2022-05-02 03:31 – Updated: 2022-05-02 03:31
VLAI
Details

The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-08-13T18:30:00Z",
    "severity": "HIGH"
  },
  "details": "The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a \"secure URL,\" related to a certain invokefilterscompatibility property.",
  "id": "GHSA-4rfm-m8cv-g888",
  "modified": "2022-05-02T03:31:38Z",
  "published": "2022-05-02T03:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2088"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52079"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg24022479"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27007951"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27014463"
    },
    {
      "type": "WEB",
      "url": "http://www-1.ibm.com/support/docview.wss?uid=swg1PK77465"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4RH6-83QM-CFMJ

Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2024-07-02 21:32
VLAI
Details

In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-02T16:15:05Z",
    "severity": "HIGH"
  },
  "details": "In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality.",
  "id": "GHSA-4rh6-83qm-cfmj",
  "modified": "2024-07-02T21:32:15Z",
  "published": "2024-07-02T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3826"
    },
    {
      "type": "WEB",
      "url": "https://portal.perforce.com/s/detail/a91PA000001SUAfYAO"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4RJ2-GPMH-QQ5X

Vulnerability from github – Published: 2026-02-17 21:36 – Updated: 2026-03-10 22:21
VLAI
Summary
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Details

Summary

An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing.

Deployments that do not install/enable the voice-call extension are not affected.

Affected Packages / Versions

  • openclaw (npm): <= 2026.2.1
  • Fixed in: >= 2026.2.2

Details

In affected versions (for example 2026.2.1), the inbound allowlist check in extensions/voice-call/src/manager.ts used suffix-based matching and accepted empty caller IDs after normalization.

This allowed two bypasses:

  1. Missing/empty from values normalized to an empty string, which caused the allowlist predicate to evaluate as allowed.
  2. Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.

Proof Of Concept

  1. Configure the voice-call extension with inboundPolicy: allowlist and allowFrom: ["+15550001234"].
  2. Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.
  3. Place a call from a number whose E.164 digits end with 15550001234 (for example +99915550001234). The call is accepted.

Impact

Only operators who install/enable the optional voice-call extension and use inboundPolicy=allowlist or pairing could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.

Fix

The fix hardens inbound policy handling:

  • Reject inbound calls when caller ID is missing.
  • Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).
  • Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.

Fix commit(s):

  • f8dfd034f5d9235c5485f492a9e4ccc114e97fdb

Thanks @simecek for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:36:34Z",
    "nvd_published_at": "2026-03-05T22:16:16Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nAn authentication bypass in the optional `voice-call` extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to `allowlist` or `pairing`.\n\nDeployments that do not install/enable the `voice-call` extension are not affected.\n\n### Affected Packages / Versions\n\n- `openclaw` (npm): `\u003c= 2026.2.1`\n- Fixed in: `\u003e= 2026.2.2`\n\n### Details\n\nIn affected versions (for example `2026.2.1`), the inbound allowlist check in `extensions/voice-call/src/manager.ts` used suffix-based matching and accepted empty caller IDs after normalization.\n\nThis allowed two bypasses:\n\n1. Missing/empty `from` values normalized to an empty string, which caused the allowlist predicate to evaluate as allowed.\n2. Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.\n\n### Proof Of Concept\n\n1. Configure the voice-call extension with `inboundPolicy: allowlist` and `allowFrom: [\"+15550001234\"]`.\n2. Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.\n3. Place a call from a number whose E.164 digits end with `15550001234` (for example `+99915550001234`). The call is accepted.\n\n### Impact\n\nOnly operators who install/enable the optional `voice-call` extension and use `inboundPolicy=allowlist` or `pairing` could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.\n\n### Fix\n\nThe fix hardens inbound policy handling:\n\n- Reject inbound calls when caller ID is missing.\n- Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).\n- Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.\n\nFix commit(s):\n\n- `f8dfd034f5d9235c5485f492a9e4ccc114e97fdb`\n\nThanks @simecek for reporting.",
  "id": "GHSA-4rj2-gpmh-qq5x",
  "modified": "2026-03-10T22:21:59Z",
  "published": "2026-02-17T21:36:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)"
}

GHSA-4RJ2-HHFH-P3J7

Vulnerability from github – Published: 2022-05-01 23:50 – Updated: 2024-02-14 18:30
VLAI
Details

The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-2433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-08-27T20:41:00Z",
    "severity": "HIGH"
  },
  "details": "The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks.  NOTE: this can be leveraged for code execution through an unspecified \"manipulation of the configuration.\"",
  "id": "GHSA-4rj2-hhfh-p3j7",
  "modified": "2024-02-14T18:30:23Z",
  "published": "2022-05-01T23:50:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2433"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44597"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31373"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/secunia_research/2008-31/advisory"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/4191"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/495670/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30792"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020732"
    },
    {
      "type": "WEB",
      "url": "http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RM7-PGJ2-MJWP

Vulnerability from github – Published: 2022-05-17 05:40 – Updated: 2022-05-17 05:40
VLAI
Details

AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-07-28T18:55:00Z",
    "severity": "HIGH"
  },
  "details": "AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.",
  "id": "GHSA-4rm7-pgj2-mjwp",
  "modified": "2022-05-17T05:40:11Z",
  "published": "2022-05-17T05:40:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2956"
    },
    {
      "type": "WEB",
      "url": "http://www.azeotech.com/revisionhistory.php"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-11-122-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4RMW-9CQP-2R9X

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-20T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking",
  "id": "GHSA-4rmw-9cqp-2r9x",
  "modified": "2022-05-24T19:18:22Z",
  "published": "2022-05-24T19:18:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30302"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4RXJ-VW6J-QQRF

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2025-04-20 03:47
VLAI
Details

OpenAM (Open Source Edition) allows an attacker to bypass authentication and access unauthorized contents via unspecified vectors. Note that this vulnerability affects OpenAM (Open Source Edition) implementations configured as SAML 2.0IdP, and switches authentication methods based on AuthnContext requests sent from the service provider.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-02T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "OpenAM (Open Source Edition) allows an attacker to bypass authentication and access unauthorized contents via unspecified vectors. Note that this vulnerability affects OpenAM (Open Source Edition) implementations configured as SAML 2.0IdP, and switches authentication methods based on AuthnContext requests sent from the service provider.",
  "id": "GHSA-4rxj-vw6j-qqrf",
  "modified": "2025-04-20T03:47:59Z",
  "published": "2022-05-13T01:06:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10873"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN79546124"
    },
    {
      "type": "WEB",
      "url": "https://www.cs.themistruct.com"
    },
    {
      "type": "WEB",
      "url": "https://www.osstech.co.jp/support/am2017-2-1-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RXR-27MM-MXQ9

Vulnerability from github – Published: 2022-09-30 05:31 – Updated: 2022-09-30 05:31
VLAI
Summary
Upstash Adapter missing token verification
Details

Impact

Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected.

Description

The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration.

Patches

The vulnerability is patched in v3.0.2. To upgrade, run one of the following:

npm i @next-auth/upstash-redis-adapter@latest
yarn add @next-auth/upstash-redis-adapter@latest
pnpm add @next-auth/upstash-redis-adapter@latest

Workarounds

Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended)

import { createHash } from "crypto"
export default async function auth(req, res) {
  if (req.method === "POST" && req.action === "callback") {
    const token = req.query?.token
    const identifier = req.query?.email
    function hashToken(token: string) {
      const provider = authOptions.providers.find((p) => p.id === "email")
      const secret = authOptions.secret
      return (
        createHash("sha256")
          // Prefer provider specific secret, but use default secret if none specified
          .update(`${token}${provider.secret ?? secret}`)
          .digest("hex")
      )
    }
    const hashedToken = hashToken(token)

    const invite = await authOptions.adapter.useVerificationToken?.({
      identifier,
      token: hashedToken,
    })
    if (invite.token !== hashedToken) {
      res.status(400).json({ error: "Invalid token" })
    }
  }
  return await NextAuth(req, res, authOptions)
}

References

EmailProvider: https://next-auth.js.org/providers/email Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization Upstash Redis Adapter: https://next-auth.js.org/adapters/upstash-redis

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@next-auth/upstash-redis-adapter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-30T05:31:32Z",
    "nvd_published_at": "2022-09-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nApplications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected.\n\n### Description\nThe Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim\u0027s email could easily sign in as the victim, given the attacker also knows about the verification token\u0027s expired duration. \n\n### Patches\nThe vulnerability is patched in v3.0.2.\nTo upgrade, run one of the following:\n```\nnpm i @next-auth/upstash-redis-adapter@latest\n```\n```\nyarn add @next-auth/upstash-redis-adapter@latest\n```\n```\npnpm add @next-auth/upstash-redis-adapter@latest\n```\n\n### Workarounds\nUsing Advanced Initialization, developers can check the requests and compare the query\u0027s token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended)\n\n```js\nimport { createHash } from \"crypto\"\nexport default async function auth(req, res) {\n  if (req.method === \"POST\" \u0026\u0026 req.action === \"callback\") {\n    const token = req.query?.token\n    const identifier = req.query?.email\n    function hashToken(token: string) {\n      const provider = authOptions.providers.find((p) =\u003e p.id === \"email\")\n      const secret = authOptions.secret\n      return (\n        createHash(\"sha256\")\n          // Prefer provider specific secret, but use default secret if none specified\n          .update(`${token}${provider.secret ?? secret}`)\n          .digest(\"hex\")\n      )\n    }\n    const hashedToken = hashToken(token)\n\n    const invite = await authOptions.adapter.useVerificationToken?.({\n      identifier,\n      token: hashedToken,\n    })\n    if (invite.token !== hashedToken) {\n      res.status(400).json({ error: \"Invalid token\" })\n    }\n  }\n  return await NextAuth(req, res, authOptions)\n}\n\n```\n### References\nEmailProvider: https://next-auth.js.org/providers/email\nAdvanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization\nUpstash Redis Adapter: https://next-auth.js.org/adapters/upstash-redis\n\n### For more information\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n",
  "id": "GHSA-4rxr-27mm-mxq9",
  "modified": "2022-09-30T05:31:32Z",
  "published": "2022-09-30T05:31:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nextauthjs/next-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Upstash Adapter missing token verification"
}

GHSA-4V3V-2C52-V3V9

Vulnerability from github – Published: 2022-05-01 02:31 – Updated: 2022-05-01 02:31
VLAI
Details

eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-4851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects.",
  "id": "GHSA-4v3v-2c52-v3v9",
  "modified": "2022-05-01T02:31:27Z",
  "published": "2022-05-01T02:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4851"
    },
    {
      "type": "WEB",
      "url": "http://ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_6_x_3_7_x_to_3_8_0"
    },
    {
      "type": "WEB",
      "url": "http://issues.ez.no/6841"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.