Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5970 vulnerabilities reference this CWE, most recent first.

GHSA-7RG2-CXVP-9P7P

Vulnerability from github – Published: 2022-12-02 22:25 – Updated: 2022-12-02 22:25
VLAI
Summary
Prometheus Exporter-Toolkit is vulnerable to authentication bypass
Details

Impact

Prometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.

Passwords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.

However, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.

A request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.

Patches

The exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.

Workarounds

There is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.

Credit

We want to thank Lei Wan reporting this security issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/prometheus/exporter-toolkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/prometheus/exporter-toolkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-02T22:25:46Z",
    "nvd_published_at": "2022-11-29T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPrometheus and its exporters can be secured by a web.yml file that specifies usernames and hashed passwords for basic authentication.\n\nPasswords are hashed with bcrypt, which means that even if you have access to the hash, it is very hard to find the original password back.\n\nHowever, a flaw in the way this mechanism was implemented in the exporter toolkit makes it possible with people who know the hashed password to authenticate against Prometheus.\n\nA request can be forged by an attacker to poison the internal cache used to cache the computation of hashes and make subsequent requests successful. This cache is used in both happy and unhappy scenarios in order to limit side channel attacks that could tell an attacker if a user is present in the file or not.\n\n### Patches\n\nThe exporter-toolkit v0.7.3 and v0.8.2 have been released to address this issue.\n\n### Workarounds\n\nThere is no workaround but attacker must have access to the hashed password, stored in disk, to bypass the authentication.\n\n### Credit\n\nWe want to thank Lei Wan reporting this security issue.\n",
  "id": "GHSA-7rg2-cxvp-9p7p",
  "modified": "2022-12-02T22:25:46Z",
  "published": "2022-12-02T22:25:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/commit/25288779bc59d00c41b4a1706c6b87f0561ef2d7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/prometheus/exporter-toolkit"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UH24VXIB25OGHF4VGY4PLZMTGTI3BHCA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULVDTAI76VATRAHTKCE2SUJ4NC3PQZ6Y"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-15"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/29/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prometheus Exporter-Toolkit is vulnerable to authentication bypass"
}

GHSA-7RHV-H82H-VPJH

Vulnerability from github – Published: 2026-03-05 21:14 – Updated: 2026-03-05 21:14
VLAI
Summary
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface
Details

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Versions: 4.1.0 – 4.3.1

Vulnerability Overview

If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.

Severity and Impact

CVSS v3.1 score
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0

An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.

Root Cause Details

There are flaws in the access control implementation for the 2FA settings page (/admin/two_factor_auth/set).

  1. TwoFactorAuthListener.php
    The route for the 2FA settings page (admin_two_factor_auth_set) is included in the list of routes excluded from the 2FA authentication check.

  2. TwoFactorAuthController.php
    Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.

Attack Preconditions and Steps

Preconditions: - The attacker knows the administrative user’s ID and password. - 2FA is enabled for that user.

Attack Steps: 1. Attempt to log in using the ID and password. 2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access /admin/two_factor_auth/set. 3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.

MFAバイパスが可能な脆弱性

EC-CUBEバージョン

バージョン: 4.1.0 ~ 4.3.1

脆弱性の概要

管理者のIDとパスワードが漏洩している場合、本来必要な2段階認証を回避して管理画面にログインできてしまう問題です。

深刻度と影響

CVSS3.1スコア:基本評価:6.2 / 現状評価:5.7 / 環境評価(緩和・対策後):0.0

攻撃者は管理者権限を持つアカウントの2FA設定を強制的に上書きできます。これにより、正規の管理者を締め出しつつ、攻撃者自身が管理画面へログインし、機密情報の閲覧やWebサイトの改ざんなどの不正操作を行うことが可能になります。

脆弱性の詳細な原因

システムの実装において、2FA設定画面(/admin/two_factor_auth/set)へのアクセス制御に不備があり。

  1. TwoFactorAuthListener.php 2FA認証チェックを除外するルート設定に、設定画面(admin_two_factor_auth_set)が含まれている。
  2. TwoFactorAuthController.php 既に2FA設定済みのユーザーであっても、2FA認証を通過せずに新しい鍵の再設定(上書き)を受け入れてしまう仕様になっている。

攻撃の成立条件と手順

前提条件: 管理ユーザーのIDとパスワードを知っていること。 そのユーザーで2FAが有効化されていること。

攻撃手順:

  1. IDとパスワードでログインを試行する。
  2. 2FAコード入力画面が表示されるが、入力を行わずに直接URLを書き換えて /admin/two_factor_auth/set へアクセスする。
  3. アクセスが拒否されないため、攻撃者は新しい2FA秘密鍵を発行し、保存(上書き)する。
  4. 以降、攻撃者が作成した新しい2FAコードを使ってログインが可能になる。
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ec-cube/ec-cube"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "last_affected": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T21:14:57Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Vulnerability Allowing MFA Bypass\n\n## Affected EC-CUBE Versions\nVersions: 4.1.0 \u2013 4.3.1\n\n## Vulnerability Overview\nIf an administrator\u2019s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.\n\n## Severity and Impact\n\n**CVSS v3.1 score**  \nBase score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0\n\nAn attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.\n\n## Root Cause Details\n\nThere are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`).\n\n1. **TwoFactorAuthListener.php**  \n   The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check.\n\n2. **TwoFactorAuthController.php**  \n   Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.\n\n## Attack Preconditions and Steps\n\n**Preconditions:**\n- The attacker knows the administrative user\u2019s ID and password.\n- 2FA is enabled for that user.\n\n**Attack Steps:**\n1. Attempt to log in using the ID and password.\n2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`.\n3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.\n\n\n# MFA\u30d0\u30a4\u30d1\u30b9\u304c\u53ef\u80fd\u306a\u8106\u5f31\u6027\n\n## EC-CUBE\u30d0\u30fc\u30b8\u30e7\u30f3\n\u30d0\u30fc\u30b8\u30e7\u30f3:  4.1.0 ~ 4.3.1\n\n## \u8106\u5f31\u6027\u306e\u6982\u8981\n\u7ba1\u7406\u8005\u306eID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u6f0f\u6d29\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u672c\u6765\u5fc5\u8981\u306a2\u6bb5\u968e\u8a8d\u8a3c\u3092\u56de\u907f\u3057\u3066\u7ba1\u7406\u753b\u9762\u306b\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u3066\u3057\u307e\u3046\u554f\u984c\u3067\u3059\u3002\n\n## \u6df1\u523b\u5ea6\u3068\u5f71\u97ff\n\nCVSS3.1\u30b9\u30b3\u30a2\uff1a\u57fa\u672c\u8a55\u4fa1:6.2  / \u73fe\u72b6\u8a55\u4fa1:5.7  / \u74b0\u5883\u8a55\u4fa1(\u7de9\u548c\u30fb\u5bfe\u7b56\u5f8c):0.0 \n\n\u653b\u6483\u8005\u306f\u7ba1\u7406\u8005\u6a29\u9650\u3092\u6301\u3064\u30a2\u30ab\u30a6\u30f3\u30c8\u306e2FA\u8a2d\u5b9a\u3092\u5f37\u5236\u7684\u306b\u4e0a\u66f8\u304d\u3067\u304d\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u6b63\u898f\u306e\u7ba1\u7406\u8005\u3092\u7de0\u3081\u51fa\u3057\u3064\u3064\u3001\u653b\u6483\u8005\u81ea\u8eab\u304c\u7ba1\u7406\u753b\u9762\u3078\u30ed\u30b0\u30a4\u30f3\u3057\u3001\u6a5f\u5bc6\u60c5\u5831\u306e\u95b2\u89a7\u3084Web\u30b5\u30a4\u30c8\u306e\u6539\u3056\u3093\u306a\u3069\u306e\u4e0d\u6b63\u64cd\u4f5c\u3092\u884c\u3046\u3053\u3068\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\n\n## \u8106\u5f31\u6027\u306e\u8a73\u7d30\u306a\u539f\u56e0\n\n\u30b7\u30b9\u30c6\u30e0\u306e\u5b9f\u88c5\u306b\u304a\u3044\u3066\u30012FA\u8a2d\u5b9a\u753b\u9762(/admin/two_factor_auth/set)\u3078\u306e\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u306b\u4e0d\u5099\u304c\u3042\u308a\u3002\n\n1. TwoFactorAuthListener.php\n2FA\u8a8d\u8a3c\u30c1\u30a7\u30c3\u30af\u3092\u9664\u5916\u3059\u308b\u30eb\u30fc\u30c8\u8a2d\u5b9a\u306b\u3001\u8a2d\u5b9a\u753b\u9762(admin_two_factor_auth_set)\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3002\n2. TwoFactorAuthController.php\n\u65e2\u306b2FA\u8a2d\u5b9a\u6e08\u307f\u306e\u30e6\u30fc\u30b6\u30fc\u3067\u3042\u3063\u3066\u3082\u30012FA\u8a8d\u8a3c\u3092\u901a\u904e\u305b\u305a\u306b\u65b0\u3057\u3044\u9375\u306e\u518d\u8a2d\u5b9a(\u4e0a\u66f8\u304d)\u3092\u53d7\u3051\u5165\u308c\u3066\u3057\u307e\u3046\u4ed5\u69d8\u306b\u306a\u3063\u3066\u3044\u308b\u3002\n\n## \u653b\u6483\u306e\u6210\u7acb\u6761\u4ef6\u3068\u624b\u9806\n\n\u524d\u63d0\u6761\u4ef6:\n\u7ba1\u7406\u30e6\u30fc\u30b6\u30fc\u306eID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u77e5\u3063\u3066\u3044\u308b\u3053\u3068\u3002\n\u305d\u306e\u30e6\u30fc\u30b6\u30fc\u30672FA\u304c\u6709\u52b9\u5316\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3002\n\n\u653b\u6483\u624b\u9806:\n\n1. ID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3067\u30ed\u30b0\u30a4\u30f3\u3092\u8a66\u884c\u3059\u308b\u3002\n2. 2FA\u30b3\u30fc\u30c9\u5165\u529b\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u308b\u304c\u3001\u5165\u529b\u3092\u884c\u308f\u305a\u306b\u76f4\u63a5URL\u3092\u66f8\u304d\u63db\u3048\u3066 /admin/two_factor_auth/set \u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3002\n3. \u30a2\u30af\u30bb\u30b9\u304c\u62d2\u5426\u3055\u308c\u306a\u3044\u305f\u3081\u3001\u653b\u6483\u8005\u306f\u65b0\u3057\u30442FA\u79d8\u5bc6\u9375\u3092\u767a\u884c\u3057\u3001\u4fdd\u5b58(\u4e0a\u66f8\u304d)\u3059\u308b\u3002\n4. \u4ee5\u964d\u3001\u653b\u6483\u8005\u304c\u4f5c\u6210\u3057\u305f\u65b0\u3057\u30442FA\u30b3\u30fc\u30c9\u3092\u4f7f\u3063\u3066\u30ed\u30b0\u30a4\u30f3\u304c\u53ef\u80fd\u306b\u306a\u308b\u3002",
  "id": "GHSA-7rhv-h82h-vpjh",
  "modified": "2026-03-05T21:14:57Z",
  "published": "2026-03-05T21:14:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EC-CUBE/ec-cube/security/advisories/GHSA-7rhv-h82h-vpjh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EC-CUBE/ec-cube/commit/094785943bfc3815c29f0cce9dbabb9bcc688474"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EC-CUBE/ec-cube"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface"
}

GHSA-7RHV-XM4Q-WH42

Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 20:26
VLAI
Summary
Erxes Incorrect Access Control vulnerability
Details

Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "erxes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:26:40Z",
    "nvd_published_at": "2025-06-10T17:20:38Z",
    "severity": "HIGH"
  },
  "details": "Erxes \u003c1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a \"User\" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.",
  "id": "GHSA-7rhv-xm4q-wh42",
  "modified": "2025-06-10T20:26:40Z",
  "published": "2025-06-10T18:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erxes/erxes/commit/4ed2ca797241d2ba0c9083feeadd9755c1310ce8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/erxes/erxes"
    },
    {
      "type": "WEB",
      "url": "https://www.sonarsource.com/blog/micro-services-major-headaches-detecting-vulnerabilities-in-erxes-microservices"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Erxes Incorrect Access Control vulnerability"
}

GHSA-7RJ5-723H-386Q

Vulnerability from github – Published: 2023-08-09 06:31 – Updated: 2026-04-08 21:31
VLAI
Details

The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about the site configuration as disclosed by the WordPress health check.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-09T04:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about the site configuration as disclosed by the WordPress health check.",
  "id": "GHSA-7rj5-723h-386q",
  "modified": "2026-04-08T21:31:59Z",
  "published": "2023-08-09T06:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4242"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/full-customer/tags/1.1.0/app/api/Health.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/full-customer/tags/2.3/app/api/Controller.php?rev=2951561"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a77d0fb5-8829-407d-a40a-169cf0c5f837?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RQG-33F4-5488

Vulnerability from github – Published: 2022-05-01 18:34 – Updated: 2022-05-01 18:34
VLAI
Details

Basic Analysis and Security Engine (BASE) before 1.3.8 sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication via (1) base_main.php, (2) base_qry_alert.php, and possibly other vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-18T22:17:00Z",
    "severity": "HIGH"
  },
  "details": "Basic Analysis and Security Engine (BASE) before 1.3.8 sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication via (1) base_main.php, (2) base_qry_alert.php, and possibly other vectors.",
  "id": "GHSA-7rqg-33f4-5488",
  "modified": "2022-05-01T18:34:51Z",
  "published": "2022-05-01T18:34:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5578"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34724"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0031.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063767.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25518"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?group_id=103348\u0026release_id=521723"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/35243"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/24315"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7V38-8RX6-7RW9

Vulnerability from github – Published: 2023-06-19 18:30 – Updated: 2024-04-04 04:57
VLAI
Details

Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.",
  "id": "GHSA-7v38-8rx6-7rw9",
  "modified": "2024-04-04T04:57:38Z",
  "published": "2023-06-19T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48496"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VJF-XJH9-P8C2

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Guest Portal login page. An exploit could allow the attacker to perform brute-force password attacks on the ISE Guest Portal. Cisco Bug IDs: CSCve98518.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-16T07:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Guest Portal login page. An exploit could allow the attacker to perform brute-force password attacks on the ISE Guest Portal. Cisco Bug IDs: CSCve98518.",
  "id": "GHSA-7vjf-xjh9-p8c2",
  "modified": "2022-05-13T01:37:53Z",
  "published": "2022-05-13T01:37:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12316"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-ise"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101931"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VJP-W5H4-XJ49

Vulnerability from github – Published: 2022-05-02 03:15 – Updated: 2022-05-02 03:15
VLAI
Details

The ProcessLogin function in class.auth.php in Interspire Shopping Cart (ISC) 4.0.1 Ultimate edition allows remote attackers to bypass authentication and obtain administrative access by reusing the RememberToken cookie after a failed admin login attempt.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-03T20:30:00Z",
    "severity": "HIGH"
  },
  "details": "The ProcessLogin function in class.auth.php in Interspire Shopping Cart (ISC) 4.0.1 Ultimate edition allows remote attackers to bypass authentication and obtain administrative access by reusing the RememberToken cookie after a failed admin login attempt.",
  "id": "GHSA-7vjp-w5h4-xj49",
  "modified": "2022-05-02T03:15:20Z",
  "published": "2022-05-02T03:15:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0412"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47899"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/499967/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33212"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021557"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7VVG-QG7F-32V8

Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44
VLAI
Details

Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-14T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.",
  "id": "GHSA-7vvg-qg7f-32v8",
  "modified": "2022-05-14T01:44:12Z",
  "published": "2022-05-14T01:44:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3696"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00196.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106028"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VXG-F9RP-JRR5

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-10-25 19:00
VLAI
Details

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-24T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.",
  "id": "GHSA-7vxg-f9rp-jrr5",
  "modified": "2022-10-25T19:00:34Z",
  "published": "2022-05-24T19:15:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22869"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.16"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.