CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-WF48-98RG-498V
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
{
"affected": [],
"aliases": [
"CVE-2021-41292"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T11:15:00Z",
"severity": "CRITICAL"
},
"details": "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.",
"id": "GHSA-wf48-98rg-498v",
"modified": "2022-05-24T19:16:13Z",
"published": "2022-05-24T19:16:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41292"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFM2-RQ5G-F8V5
Vulnerability from github – Published: 2025-04-29 15:11 – Updated: 2025-04-29 15:11Summary
Allowlist module contains a bypass vulnerability
Details
The logic for using an allowlist on a Modular Account V2 contained a bug that allowed session keys to bypass any allowlist configuration
Action
If you are using @aa-sdk and/or @account-kit/smart-contracts between the versions of >=4.8.0 and <4.28.1, please upgrade to 4.28.2
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@account-kit/smart-contracts"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T15:11:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAllowlist module contains a bypass vulnerability\n\n### Details\nThe logic for using an allowlist on a Modular Account V2 contained a bug that allowed session keys to bypass any allowlist configuration\n\n### Action\nIf you are using @aa-sdk and/or @account-kit/smart-contracts between the versions of \u003e=4.8.0 and \u003c4.28.1, please upgrade to 4.28.2",
"id": "GHSA-wfm2-rq5g-f8v5",
"modified": "2025-04-29T15:11:41Z",
"published": "2025-04-29T15:11:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/alchemyplatform/aa-sdk/security/advisories/GHSA-wfm2-rq5g-f8v5"
},
{
"type": "WEB",
"url": "https://github.com/alchemyplatform/aa-sdk/commit/b65bafdb9eec3a009df2cbabf09a35a76550e9d0"
},
{
"type": "PACKAGE",
"url": "https://github.com/alchemyplatform/aa-sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "@account-kit/smart-contracts Allowlist Module Bypass Vulnerability"
}
GHSA-WG33-5H85-7Q5P
Vulnerability from github – Published: 2025-02-06 17:07 – Updated: 2025-02-06 19:54Impact
In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution.
The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The block_global option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.
Patches
The vulnerability has been fixed in mitmproxy 11.1.2 and above.
Acknowledgements
We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by Radically Open Security. This audit was supported by the NGI0 Entrust fund established by NLnet.
Timeline
- 2025-01-14: Received initial report.
- 2025-01-14: Verified report and confirmed receipt.
- 2025-01-19: Shared patch with researcher.
- 2025-02-04: Received final confirmation that patch is working.
- 2025-02-05: Published patched release and advisory.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mitmproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23217"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-441"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T17:07:41Z",
"nvd_published_at": "2025-02-06T18:15:32Z",
"severity": "HIGH"
},
"details": "### Impact\nIn mitmweb 11.1.0 and below, a malicious client can use mitmweb\u0027s proxy server (bound to `*:8080` by default) to access mitmweb\u0027s internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution.\n\nThe mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.\n\n### Patches\n\nThe vulnerability has been fixed in mitmproxy 11.1.2 and above.\n\n### Acknowledgements\n\nWe thank Stefan Gr\u00f6nke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audit was supported by the [NGI0 Entrust fund](https://nlnet.nl/entrust/) established by [NLnet](https://nlnet.nl/).\n\n### Timeline\n\n- **2025-01-14**: Received initial report. \n- **2025-01-14**: Verified report and confirmed receipt.\n- **2025-01-19**: Shared patch with researcher.\n- **2025-02-04**: Received final confirmation that patch is working.\n- **2025-02-05**: Published patched release and advisory.",
"id": "GHSA-wg33-5h85-7q5p",
"modified": "2025-02-06T19:54:56Z",
"published": "2025-02-06T17:07:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23217"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a"
},
{
"type": "WEB",
"url": "https://en.wikipedia.org/wiki/Server-side_request_forgery"
},
{
"type": "PACKAGE",
"url": "https://github.com/mitmproxy/mitmproxy"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md#06-february-2025-mitmproxy-1112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mitmweb API Authentication Bypass Using Proxy Server"
}
GHSA-WJ4W-HRRV-32X7
Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
{
"affected": [],
"aliases": [
"CVE-2026-7458"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-02T05:16:01Z",
"severity": "CRITICAL"
},
"details": "The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the \"user_verification_form_wrap_process_otpLogin\" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a \"true\" OTP value.",
"id": "GHSA-wj4w-hrrv-32x7",
"modified": "2026-05-02T06:30:24Z",
"published": "2026-05-02T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7458"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/functions-rest.php%23L234?rev=3461175"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php%23L164?rev=3461175"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/index.php%23L71?rev=3461175"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3519113/user-verification"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMVG-5R8J-H4HF
Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.
{
"affected": [],
"aliases": [
"CVE-2025-22277"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T06:15:48Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4.",
"id": "GHSA-wmvg-5r8j-h4hf",
"modified": "2026-04-01T18:34:17Z",
"published": "2025-04-01T06:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22277"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP3Q-P67P-P473
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.
{
"affected": [],
"aliases": [
"CVE-2026-25439"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:11Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Authentication in Booknetic \u003c= 4.8.5 versions.",
"id": "GHSA-wp3q-p67p-p473",
"modified": "2026-06-17T18:35:48Z",
"published": "2026-06-17T18:35:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25439"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/booknetic/vulnerability/wordpress-booknetic-plugin-4-8-5-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPFJ-WC8P-WV72
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10912.
{
"affected": [],
"aliases": [
"CVE-2020-27863"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-12T00:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DVA-2800 and DSL-2888A firmware version 2.3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-10912.",
"id": "GHSA-wpfj-wc8p-wv72",
"modified": "2022-05-24T17:42:02Z",
"published": "2022-05-24T17:42:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27863"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10196"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1427"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WR24-46RX-JR44
Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:36In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867
{
"affected": [],
"aliases": [
"CVE-2023-21098"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T20:15:11Z",
"severity": "HIGH"
},
"details": "In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-260567867",
"id": "GHSA-wr24-46rx-jr44",
"modified": "2024-04-04T03:36:11Z",
"published": "2023-04-19T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21098"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVHJ-3792-HF6C
Vulnerability from github – Published: 2024-11-09 03:30 – Updated: 2026-04-08 18:33The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
{
"affected": [],
"aliases": [
"CVE-2024-10284"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T03:15:03Z",
"severity": "CRITICAL"
},
"details": "The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the \u0027ce21_authentication_phrase\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
"id": "GHSA-wvhj-3792-hf6c",
"modified": "2026-04-08T18:33:39Z",
"published": "2024-11-09T03:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10284"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ce21-suite/trunk/single-sign-on-ce21.php?rev=3097700#L242"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3205463/ce21-suite#file3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d66743-300e-480d-98b8-99dc30b6e786?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVPV-FFCV-R6CW
Vulnerability from github – Published: 2020-04-14 23:09 – Updated: 2021-01-08 20:22Impact
Every user of the library before version 1.0.4.
Patches
Patched in 1.0.4+.
Workarounds
None.
References
https://github.com/SeppPenner/WindowsHello/issues/3
For more information
It this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "HaemmerElectronics.SeppPenner.WindowsHello"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11005"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-14T22:26:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nEvery user of the library before version 1.0.4.\n\n### Patches\nPatched in 1.0.4+.\n\n### Workarounds\nNone.\n\n### References\nhttps://github.com/SeppPenner/WindowsHello/issues/3\n\n### For more information\nIt this library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.",
"id": "GHSA-wvpv-ffcv-r6cw",
"modified": "2021-01-08T20:22:38Z",
"published": "2020-04-14T23:09:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11005"
},
{
"type": "WEB",
"url": "https://github.com/SeppPenner/WindowsHello/issues/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Internal NCryptDecrypt method could be used externally from WindowsHello library."
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.