Common Weakness Enumeration

CWE-841

Allowed

Improper Enforcement of Behavioral Workflow

Abstraction: Class · Status: Incomplete

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

87 vulnerabilities reference this CWE, most recent first.

GHSA-M44C-8M5V-Q44R

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-m44c-8m5v-q44r",
  "modified": "2025-10-14T18:30:30Z",
  "published": "2025-10-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55332"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M9GV-6P22-QGMJ

Vulnerability from github – Published: 2024-07-05 20:08 – Updated: 2024-07-05 20:08
VLAI
Summary
ai-controller-frontend payment status in basket isn't reset
Details

Impact

Payment status in basket isn't reset

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-controller-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.04.1"
            },
            {
              "fixed": "2023.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-controller-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2022.04.1"
            },
            {
              "fixed": "2022.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-controller-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2021.04.1"
            },
            {
              "fixed": "2021.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-controller-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2020.10.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-05T20:08:44Z",
    "nvd_published_at": "2024-07-02T21:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPayment status in basket isn\u0027t reset\n",
  "id": "GHSA-m9gv-6p22-qgmj",
  "modified": "2024-07-05T20:08:44Z",
  "published": "2024-07-05T20:08:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/security/advisories/GHSA-m9gv-6p22-qgmj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/commit/16b8837d2466e3665b3c826ce87934b01a847268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/commit/24a57001e56759d1582d2a0080fc1ca3ba328630"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/commit/28549808e0f6432a34cd3fb95556deeb86ca276d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/commit/b1960c0b6e5ee93111a5360c9ce949b3e7528cf7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-controller-frontend/commit/dafa072783bb692f111ed092d9d2932c113eb855"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimeos/ai-controller-frontend"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ai-controller-frontend payment status in basket isn\u0027t reset"
}

GHSA-MC5J-F6WX-H9QH

Vulnerability from github – Published: 2026-06-25 18:45 – Updated: 2026-06-25 18:45
VLAI
Summary
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Details

A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.

If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/filament"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/filament"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:45:45Z",
    "nvd_published_at": "2026-06-22T22:16:47Z",
    "severity": "HIGH"
  },
  "details": "A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused via concurrent submission. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled.\n\nIf an attacker gains access to both the user\u0027s password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker\u0027s window of access compared to what the single-use guarantee implies.",
  "id": "GHSA-mc5j-f6wx-h9qh",
  "modified": "2026-06-25T18:45:46Z",
  "published": "2026-06-25T18:45:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-mc5j-f6wx-h9qh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48505"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filamentphp/filament"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission"
}

GHSA-MH2F-2HRX-5245

Vulnerability from github – Published: 2025-04-21 18:32 – Updated: 2025-04-21 18:32
VLAI
Details

User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous authenticated attacker to potentially alter barcode attributes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-21T16:15:53Z",
    "severity": "MODERATE"
  },
  "details": "User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous authenticated attacker to potentially alter barcode attributes.",
  "id": "GHSA-mh2f-2hrx-5245",
  "modified": "2025-04-21T18:32:08Z",
  "published": "2025-04-21T18:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12543"
    },
    {
      "type": "WEB",
      "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated\u0026sysparm_article=KB0839119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MRP4-V2GF-6MXP

Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31
VLAI
Details

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An Automator Quick Action workflow may be able to bypass Gatekeeper.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T00:15:50Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An Automator Quick Action workflow may be able to bypass Gatekeeper.",
  "id": "GHSA-mrp4-v2gf-6mxp",
  "modified": "2025-11-04T18:31:21Z",
  "published": "2024-09-17T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44128"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121234"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121247"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/33"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/40"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVC4-C2H4-573V

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-06 00:00
VLAI
Details

Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script",
  "id": "GHSA-mvc4-c2h4-573v",
  "modified": "2022-07-06T00:00:30Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1667"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QM72-9J6P-39Q3

Vulnerability from github – Published: 2023-11-22 09:31 – Updated: 2026-05-20 15:35
VLAI
Details

Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass.This issue affects Geodi: before 8.0.0.27396.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T09:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass.This issue affects Geodi: before 8.0.0.27396.",
  "id": "GHSA-qm72-9j6p-39q3",
  "modified": "2026-05-20T15:35:20Z",
  "published": "2023-11-22T09:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5921"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0650"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0650"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX5F-GHC2-7G5C

Vulnerability from github – Published: 2026-05-05 21:11 – Updated: 2026-05-13 16:26
VLAI
Summary
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
Details

Summary

Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment.

A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.

Am I affected?

This vulnerability only affects deployments that use Fides's privacy request (data subject request) features, also known collectively as "Lethe". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.

Within deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to true:

  • subject_identity_verification_required
  • privacy_request_duplicate_detection.enabled

Both settings default to false.

Each setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:

  1. Admin UI / configuration API - stored in the application database and applied at runtime
  2. Environment variables - read at webserver startup
  3. fides.toml - read at webserver startup
  4. Default value - used if none of the above set the value

To determine whether your deployment is affected, check each setting in every location that applies to your configuration management.

subject_identity_verification_required

  • fides.toml: under the [execution] section as subject_identity_verification_required = true
  • Environment variable: FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=true
  • No Admin UI control - this setting is not exposed through the Admin UI and cannot be set via the configuration API

privacy_request_duplicate_detection.enabled

  • fides.toml: under the [privacy_request_duplicate_detection] section as enabled = true
  • Environment variable: FIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=true
  • Admin UI: Settings → Privacy requests → Duplicate detection, via the "Enable duplicate detection" toggle. The toggle reflects only values set through the Admin UI or configuration API. A value set via fides.toml or environment variable will not appear here.
GHSA - Duplicate Detection Enabled The "Enable duplicate detection" toggle when it's enabled, under Settings → Privacy requests in the Admin UI.

Details

When duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.

An attacker exploits this by submitting two privacy requests using a target's email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.

The fix for this vulnerability also patches a lower-severity issue, present in versions 2.82.0 through 2.83.1, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.

Impact

An unauthenticated attacker who knows a target's email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject's records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.

Access privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject's registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.

Patches

The vulnerabilities have been patched in Fides OSS version 2.83.2. Users are advised to upgrade to this version or later to secure their systems against these threats.

Fides Enterprise (fidesplus) version 2.83.2 contains the same patch.

Workarounds

Disable duplicate detection by setting privacy_request_duplicate_detection.enabled to false. This can be changed under Settings → Privacy Requests → Duplicate detection in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.

GHSA - Disable Duplicate Detection The "Enable duplicate detection" toggle when it's disabled, under Settings → Privacy requests in the Admin UI.

Administrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.

GHSA - Admin Approval of Unverified Privacy Request

An administrator's view when approving an unverified privacy request in the Admin UI.

Severity

This vulnerability has been assigned a severity of MEDIUM.

The rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.

The related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.

References

  • Fides OSS 2.83.2 release: https://github.com/ethyca/fides/releases/tag/2.83.2
  • Fix for the identity bypass vulnerability: PR #7972, commit e7a6527
  • Fix for the related denial-of-service issue: PR #7971, commit 0e320b2
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.75.0"
            },
            {
              "fixed": "2.83.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306",
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:11:37Z",
    "nvd_published_at": "2026-05-12T18:17:24Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nFides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject\u0027s records across every integration configured in the affected deployment.\n\nA related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.\n\n### Am I affected?\n\nThis vulnerability only affects deployments that use Fides\u0027s privacy request (data subject request) features, also known collectively as \"Lethe\". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.\n\nWithin deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to `true`:\n\n- `subject_identity_verification_required`\n- `privacy_request_duplicate_detection.enabled`\n\nBoth settings default to `false`.\n\nEach setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:\n\n1. **Admin UI / configuration API** - stored in the application database and applied at runtime\n2. **Environment variables** - read at webserver startup\n3. **`fides.toml`** - read at webserver startup\n4. **Default value** - used if none of the above set the value\n\nTo determine whether your deployment is affected, check each setting in every location that applies to your configuration management.\n\n**`subject_identity_verification_required`**\n\n- `fides.toml`: under the `[execution]` section as `subject_identity_verification_required = true`\n- Environment variable: `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=true`\n- No Admin UI control - this setting is not exposed through the Admin UI and cannot be set via the configuration API\n\n**`privacy_request_duplicate_detection.enabled`**\n\n- `fides.toml`: under the `[privacy_request_duplicate_detection]` section as `enabled = true`\n- Environment variable: `FIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=true`\n- Admin UI: **Settings \u2192 Privacy requests \u2192 Duplicate detection**, via the \"Enable duplicate detection\" toggle. The toggle reflects only values set through the Admin UI or configuration API. A value set via `fides.toml` or environment variable will not appear here.\n\n\u003cfigure\u003e\n\u003cimg width=\"1392\" height=\"940\" alt=\"GHSA - Duplicate Detection Enabled\" src=\"https://github.com/user-attachments/assets/e384f273-ce68-403c-adb2-93536eca5f3a\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nThe \"Enable duplicate detection\" toggle when it\u0027s enabled, under Settings \u2192 Privacy requests in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003c/figure\u003e\n\n### Details\n\nWhen duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.\n\nAn attacker exploits this by submitting two privacy requests using a target\u0027s email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.\n\nThe fix for this vulnerability also patches a lower-severity issue, present in versions `2.82.0` through `2.83.1`, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.\n\n### Impact\n\nAn unauthenticated attacker who knows a target\u0027s email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject\u0027s records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.\n\nAccess privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject\u0027s registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.\n\n### Patches\n\nThe vulnerabilities have been patched in Fides OSS version `2.83.2`. Users are advised to upgrade to this version or later to secure their systems against these threats.\n\nFides Enterprise (fidesplus) version `2.83.2` contains the same patch.\n\n### Workarounds\n\nDisable duplicate detection by setting `privacy_request_duplicate_detection.enabled` to `false`. This can be changed under **Settings \u2192 Privacy Requests \u2192 Duplicate detection** in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.\n\n\u003cfigure\u003e\n\u003cp\u003e\n\u003cimg width=\"1392\" height=\"880\" alt=\"GHSA - Disable Duplicate Detection\" src=\"https://github.com/user-attachments/assets/fc0c87a1-7e40-4698-ba9e-e1721f591310\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nThe \"Enable duplicate detection\" toggle when it\u0027s disabled, under Settings \u2192 Privacy requests in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003cp\u003e\n\u003c/figure\u003e\n\nAdministrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.\n\n\u003cimg width=\"1392\" height=\"1044\" alt=\"GHSA - Admin Approval of Unverified Privacy Request\" src=\"https://github.com/user-attachments/assets/b2ad4940-40d3-468b-897e-8cca6ce4707e\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nAn administrator\u0027s view when approving an unverified privacy request in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003c/figure\u003e\n\n### Severity\n\nThis vulnerability has been assigned a severity of **MEDIUM**.\n\nThe rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.\n\nThe related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.\n\n### References\n\n- Fides OSS `2.83.2` release: https://github.com/ethyca/fides/releases/tag/2.83.2\n- Fix for the identity bypass vulnerability: [PR #7972](https://github.com/ethyca/fides/pull/7972), commit [`e7a6527`](https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd)\n- Fix for the related denial-of-service issue: [PR #7971](https://github.com/ethyca/fides/pull/7971), commit [`0e320b2`](https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37)",
  "id": "GHSA-qx5f-ghc2-7g5c",
  "modified": "2026-05-13T16:26:42Z",
  "published": "2026-05-05T21:11:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/pull/7971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/pull/7972"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/releases/tag/2.83.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection"
}

GHSA-V4G2-CM5V-CXV7

Vulnerability from github – Published: 2024-06-05 13:30 – Updated: 2024-06-11 20:58
VLAI
Summary
Digital products download without proper payment status check
Details

Impact

Digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed.

Patches

New versions for the Aimeos HTML client 2020-2024 are available

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2024.04.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2024.04.1"
            },
            {
              "fixed": "2024.04.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.04.1"
            },
            {
              "fixed": "2023.10.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2022.04.1"
            },
            {
              "fixed": "2022.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2021.04.1"
            },
            {
              "fixed": "2021.10.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2020.04.1"
            },
            {
              "fixed": "2020.10.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-05T13:30:55Z",
    "nvd_published_at": "2024-06-11T15:16:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDigital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn\u0027t succeed.\n\n### Patches\nNew versions for the Aimeos HTML client 2020-2024 are available\n",
  "id": "GHSA-v4g2-cm5v-cxv7",
  "modified": "2024-06-11T20:58:10Z",
  "published": "2024-06-05T13:30:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-v4g2-cm5v-cxv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/12d8aad1a373bf9d350872501adec3e222164f83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/5a7249769142b3ce70959ab1fb70c7e7c251e214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/6460ffe8f4929d864164aa96c5b49eca5326d975"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/7f01d2f4fbc67f5231fd84adeb835d28252b8409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/fc611ff9a57e421d0ad9d99346b561cea515c5f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimeos/ai-client-html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Digital products download without proper payment status check"
}

GHSA-VCGP-9326-PQCP

Vulnerability from github – Published: 2026-05-04 22:01 – Updated: 2026-05-14 20:48
VLAI
Summary
net-imap vulnerable to STARTTLS stripping via invalid response timing
Details

Summary

A man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Details

When using Net::IMAP#starttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows #starttls to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.

This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks Net::IMAP#tls_verified?.

Impact

TLS bypass, leading to cleartext transmission of sensitive information.

Mitigation

  • Upgrade to a patched version of net-imap that raises an exception whenever #starttls does not establish TLS.
  • Connect to an implicit TLS port, rather than use STARTTLS with a cleartext port. This is strongly recommended anyway:
  • RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
  • NO STARTTLS: Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context
  • Explicitly verify Net::IMAP#tls_verified? is true, before using the connection after #starttls.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.3"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.13"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.5.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.23"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.4.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.9"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-392",
      "CWE-393",
      "CWE-636",
      "CWE-754",
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T22:01:52Z",
    "nvd_published_at": "2026-05-09T20:16:28Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA man-in-the-middle attacker can cause `Net::IMAP#starttls` to return \"successfully\", without starting TLS.\n\n### Details\n\nWhen using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictable tag.  By sending the response before the client finishes sending the command, the command completes \"successfully\" before the response handler is registered.  This allows `#starttls` to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.\n\nThis allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks `Net::IMAP#tls_verified?`.\n\n### Impact\n\nTLS bypass, leading to cleartext transmission of sensitive information.\n\n### Mitigation\n\n* Upgrade to a patched version of net-imap that raises an exception whenever `#starttls` does not establish TLS.\n* Connect to an implicit TLS port, rather than use `STARTTLS` with a cleartext port.\n  This is strongly recommended anyway:\n  * [RFC 8314](https://www.rfc-editor.org/info/rfc8314): Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access\n  * [NO STARTTLS](https://nostarttls.secvuln.info/): Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context\n* Explicitly verify `Net::IMAP#tls_verified?` is `true`, before using the connection after `#starttls`.",
  "id": "GHSA-vcgp-9326-pqcp",
  "modified": "2026-05-14T20:48:01Z",
  "published": "2026-05-04T22:01:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/net-imap"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/releases/tag/v0.3.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml"
    },
    {
      "type": "WEB",
      "url": "https://nostarttls.secvuln.info"
    },
    {
      "type": "WEB",
      "url": "https://www.rfc-editor.org/info/rfc8314"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "net-imap vulnerable to STARTTLS stripping via invalid response timing"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.