Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-FXC9-7J2W-VX54

Vulnerability from github – Published: 2026-03-29 15:20 – Updated: 2026-03-29 15:20
VLAI
Summary
mpp has multiple payment bypass and griefing vulnerabilities
Details

Impact

Multiple vulnerabilities were discovered which allowed for undesirable behaviors, including: - Performing free tempo/charge requests - Replaying existing tempo/charge requests - Performing free tempo/session requests - Piggybacking off existing tempo/session channels - Griefing existing tempo/session channels - Manipulate the fee payer of a tempo/charge or tempo/session handler into paying for requests - Replaying existing stripe/charge requests

Patches

The issues are patched in 0.8.0

Workarounds

There are no workarounds available for these vulnerabilities

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "mpp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-294",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:20:45Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nMultiple vulnerabilities were discovered which allowed for undesirable behaviors, including:\n- Performing free `tempo/charge` requests\n- Replaying existing `tempo/charge` requests\n- Performing free `tempo/session` requests\n- Piggybacking off existing `tempo/session` channels\n- Griefing existing `tempo/session` channels\n- Manipulate the fee payer of a `tempo/charge` or `tempo/session` handler into paying for requests\n- Replaying existing `stripe/charge` requests\n\n### Patches\nThe issues are patched in 0.8.0\n\n### Workarounds\nThere are no workarounds available for these vulnerabilities",
  "id": "GHSA-fxc9-7j2w-vx54",
  "modified": "2026-03-29T15:20:45Z",
  "published": "2026-03-29T15:20:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tempoxyz/mpp-rs/security/advisories/GHSA-fxc9-7j2w-vx54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tempoxyz/mpp-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tempoxyz/mpp-rs/releases/tag/v0.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "mpp has multiple payment bypass and griefing vulnerabilities"
}

GHSA-G3R6-2CV3-63VW

Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31
VLAI
Details

An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T19:15:27Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15\tand before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 \u0026 FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager\u0027s serial number.",
  "id": "GHSA-g3r6-2cv3-63vw",
  "modified": "2025-08-12T21:31:20Z",
  "published": "2025-08-12T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26009"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4WG-MPFG-X2Q6

Vulnerability from github – Published: 2025-08-18 18:30 – Updated: 2025-08-18 23:18
VLAI
Summary
Liferay Portal Login Bypass Vulnerability
Details

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.3.0-ga1"
            },
            {
              "last_affected": "7.4.3.132-ga132"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-18T23:18:10Z",
    "nvd_published_at": "2025-08-18T17:15:29Z",
    "severity": "LOW"
  },
  "details": "Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.",
  "id": "GHSA-g4wg-mpfg-x2q6",
  "modified": "2025-08-18T23:18:10Z",
  "published": "2025-08-18T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3639"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/383a4001cfdf533eb077ed6f03bc5f8fed27cf05"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/774c89c853d4b9d9abb61d6e079dab21f582cc78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/7a70daf60416d536a45fe137d54e1054e9394fa7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/a0265c3847af01a37d2a9ad1560e4408f2856518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/a5081fefaffdd86a9306320c46e91f98973c39cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/d2806ad26cb194d0c7d654f9c447857e05dd44b2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/e4bb21b85440157b588ebbd217995113362962cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/e67b47a47f3bccc9a85aeee6a40cd0188787aa0f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/eb0457503fdb8ac49c662b690a6a4eb139ee4c67"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-18212"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3639"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Login Bypass Vulnerability"
}

GHSA-G54J-MFPF-9C6R

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:51Z",
    "severity": "HIGH"
  },
  "details": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions.",
  "id": "GHSA-g54j-mfpf-9c6r",
  "modified": "2026-06-17T18:35:52Z",
  "published": "2026-06-17T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54804"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/melhor-envio-cotacao/vulnerability/wordpress-melhor-envio-plugin-2-16-3-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G56H-9V2H-9X2C

Vulnerability from github – Published: 2024-03-07 03:30 – Updated: 2024-08-06 15:30
VLAI
Details

An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-07T01:15:52Z",
    "severity": "HIGH"
  },
  "details": "An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.",
  "id": "GHSA-g56h-9v2h-9x2c",
  "modified": "2024-08-06T15:30:46Z",
  "published": "2024-03-07T03:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26566"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GZLDL/CVE/blob/main/CVE-2024-26566/CVE-2024-26566%20English.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GZLDL/CVE/tree/main/Cute%20Http%20File%20Server%20JWT"
    },
    {
      "type": "WEB",
      "url": "http://cute.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6Q3-96CP-5R5M

Vulnerability from github – Published: 2026-01-20 16:35 – Updated: 2026-01-20 16:35
VLAI
Summary
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Details

Summary

A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.

Details

The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.

PoC

Step 1: Run the following Fastify application (save as app.js):

const fastify = require('fastify')({ logger: true });

async function start() {
  // Register fastify-express for Express-style middleware support
  await fastify.register(require('@fastify/express'));

  // Middleware to block /admin route
  fastify.use('/admin', (req, res, next) => {
    res.statusCode = 403;
    res.end('Forbidden: Access to /admin is blocked');
  });

  // Sample routes
  fastify.get('/', async (request, reply) => {
    return { message: 'Welcome to the homepage' };
  });

  fastify.get('/admin', async (request, reply) => {
    return { message: 'Admin panel' };
  });

  fastify.get('/admin/dashboard', async (request, reply) => {
    return { message: 'Admin dashboard' };
  });

  // Start server
  try {
    await fastify.listen({ port: 3000 });
  } catch (err) {
    fastify.log.error(err);
    process.exit(1);
  }
}

start();

Step 2: Execute the attack.

➜  ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>

(fastify express)

➜  ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}

It differs from CVE-2026-22031 because this is a different npm module with its own code.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-177",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T16:35:21Z",
    "nvd_published_at": "2026-01-19T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA security vulnerability exists in `@fastify/express` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `@fastify/express` matches requests against registered middleware paths.\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n  // Register fastify-express for Express-style middleware support\n  await fastify.register(require(\u0027@fastify/express\u0027));\n\n  // Middleware to block /admin route\n  fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n    res.statusCode = 403;\n    res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n  });\n\n  // Sample routes\n  fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Welcome to the homepage\u0027 };\n  });\n\n  fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Admin panel\u0027 };\n  });\n\n  fastify.get(\u0027/admin/dashboard\u0027, async (request, reply) =\u003e {\n    return { message: \u0027Admin dashboard\u0027 };\n  });\n\n  // Start server\n  try {\n    await fastify.listen({ port: 3000 });\n  } catch (err) {\n    fastify.log.error(err);\n    process.exit(1);\n  }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n\n```\n\u279c  ~ curl http://206.189.140.29:3000/%61dmin\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n\u003cmeta charset=\"utf-8\"\u003e\n\u003ctitle\u003eError\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003cpre\u003eCannot GET /%61dmin\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n(fastify express)\n\n\u279c  ~ curl http://206.189.140.29:3000/%61dmin\n{\"message\":\"Admin panel\"}\n```\n\nIt differs from [CVE-2026-22031](https://nvd.nist.gov/vuln/detail/CVE-2026-22031) because this is a different npm module with its own code.",
  "id": "GHSA-g6q3-96cp-5r5m",
  "modified": "2026-01-20T16:35:21Z",
  "published": "2026-01-20T16:35:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-express"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-express/releases/tag/v4.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)"
}

GHSA-G6RR-5FCQ-XJCM

Vulnerability from github – Published: 2025-06-10 00:30 – Updated: 2025-06-10 00:30
VLAI
Details

CyberData 011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-09T22:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "CyberData\u00a0011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.",
  "id": "GHSA-g6rr-5fcq-xjcm",
  "modified": "2025-06-10T00:30:30Z",
  "published": "2025-06-10T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30184"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G74P-X9CP-Q6J2

Vulnerability from github – Published: 2025-06-18 06:31 – Updated: 2025-06-18 06:31
VLAI
Details

An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T05:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected.",
  "id": "GHSA-g74p-x9cp-q6j2",
  "modified": "2025-06-18T06:31:37Z",
  "published": "2025-06-18T06:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51381"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN46288336"
    },
    {
      "type": "WEB",
      "url": "https://notices.jcom.co.jp/notice/93847.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G79R-WQXW-XP7Q

Vulnerability from github – Published: 2025-10-01 06:30 – Updated: 2025-10-01 06:30
VLAI
Details

An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T04:15:48Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.",
  "id": "GHSA-g79r-wqxw-xp7q",
  "modified": "2025-10-01T06:30:22Z",
  "published": "2025-10-01T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10538"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G9RQ-PPXC-PMJ6

Vulnerability from github – Published: 2024-05-06 00:30 – Updated: 2024-07-03 18:38
VLAI
Details

In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-06T00:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content.",
  "id": "GHSA-g9rq-ppxc-pmj6",
  "modified": "2024-07-03T18:38:58Z",
  "published": "2024-05-06T00:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xlang-ai/OpenAgents/issues/112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xlang-ai/OpenAgents/blob/880e26adfe380e999962fc645fc8fc80bd72f103/backend/utils/utils.py#L31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.