Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5518 vulnerabilities reference this CWE, most recent first.

GHSA-G4J9-PMF2-PRRV

Vulnerability from github – Published: 2023-02-01 15:30 – Updated: 2023-02-08 21:30
VLAI
Details

Last Yard 22.09.8-1 does not enforce HSTS headers

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Last Yard 22.09.8-1 does not enforce HSTS headers",
  "id": "GHSA-g4j9-pmf2-prrv",
  "modified": "2023-02-08T21:30:19Z",
  "published": "2023-02-01T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/l00neyhacker/CVE-2022-47714"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4M8-6XWJ-MC45

Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T02:15:48Z",
    "severity": "LOW"
  },
  "details": "This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.",
  "id": "GHSA-g4m8-6xwj-mc45",
  "modified": "2026-04-02T21:31:37Z",
  "published": "2024-03-08T03:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23262"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120880"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120883"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120893"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214082"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214087"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214082"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214087"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4V2-QX3Q-4P64

Vulnerability from github – Published: 2026-04-08 00:14 – Updated: 2026-04-15 21:17
VLAI
Summary
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Details

Impact

The GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields.

Patches

The GET /sessions/me handler now re-fetches the session with the caller's auth context after validating the session token, ensuring protectedFields and CLP apply consistently with other session endpoints.

Workarounds

None.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.8.0-alpha.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "8.6.75"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:14:50Z",
    "nvd_published_at": "2026-04-07T20:16:32Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session\u0027s protected fields with a single request. The equivalent `GET /sessions` and `GET /sessions/:objectId` endpoints correctly strip protected fields.\n\n### Patches\n\nThe `GET /sessions/me` handler now re-fetches the session with the caller\u0027s auth context after validating the session token, ensuring `protectedFields` and CLP apply consistently with other session endpoints.\n\n### Workarounds\n\nNone.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407",
  "id": "GHSA-g4v2-qx3q-4p64",
  "modified": "2026-04-15T21:17:24Z",
  "published": "2026-04-08T00:14:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10407"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server\u0027s Endpoint `/sessions/me` bypasses `_Session` `protectedFields`"
}

GHSA-G4W6-VMGF-XQVX

Vulnerability from github – Published: 2026-06-30 18:09 – Updated: 2026-06-30 18:09
VLAI
Summary
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
Details

Summary

@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.

Impact

The middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.

When an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.

Impacted versions

<= 0.2.0

Patches

This issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Validate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.

References

If you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@cedar-policy/authorization-for-expressjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:09:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.\n\n### Impact\nThe middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.\n\nWhen an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.\n\n### Impacted versions\n\u003c= 0.2.0\n\n### Patches\nThis issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\nValidate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.\n\n### References\nIf you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
  "id": "GHSA-g4w6-vmgf-xqvx",
  "modified": "2026-06-30T18:09:13Z",
  "published": "2026-06-30T18:09:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cedar-policy/authorization-for-expressjs/security/advisories/GHSA-g4w6-vmgf-xqvx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cedar-policy/authorization-for-expressjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cedar-policy/authorization-for-expressjs/releases/tag/v0.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation"
}

GHSA-G52X-WVQ2-4H58

Vulnerability from github – Published: 2026-05-13 00:48 – Updated: 2026-05-13 00:48
VLAI
Details

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T22:16:33Z",
    "severity": "MODERATE"
  },
  "details": "PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.",
  "id": "GHSA-g52x-wvq2-4h58",
  "modified": "2026-05-13T00:48:11Z",
  "published": "2026-05-13T00:48:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33570"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G594-FQ98-W6PJ

Vulnerability from github – Published: 2025-06-11 00:30 – Updated: 2025-06-11 00:30
VLAI
Details

The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-11T00:15:23Z",
    "severity": "MODERATE"
  },
  "details": "The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing  Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile.",
  "id": "GHSA-g594-fq98-w6pj",
  "modified": "2025-06-11T00:30:48Z",
  "published": "2025-06-11T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8270"
    },
    {
      "type": "WEB",
      "url": "https://pentraze.com"
    },
    {
      "type": "WEB",
      "url": "https://pentraze.com/vulnerability-reports"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5CG-8X5W-7JPM

Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-04-21 00:01
VLAI
Summary
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Details

Summary

Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

Current Maintainer Triage

  • Status: open
  • Normalized severity: Critical

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • a30214a624946fc5c85c9558a27c1580172374fd — 2026-03-31T09:06:51+09:00

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T20:59:29Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nHeartbeat context inheritance bypasses sandbox via senderIsOwner escalation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: Critical\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a30214a624946fc5c85c9558a27c1580172374fd` \u2014 2026-03-31T09:06:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-g5cg-8x5w-7jpm",
  "modified": "2026-04-21T00:01:01Z",
  "published": "2026-04-02T20:59:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation"
}

GHSA-G5FP-9V3P-VV34

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Install). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:23Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Install).   The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
  "id": "GHSA-g5fp-9v3p-vv34",
  "modified": "2025-01-21T21:30:56Z",
  "published": "2025-01-21T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21565"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5HJ-6P24-45C3

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-16 21:30
VLAI
Details

Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have been able to successfully create audit templates from their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have been able to successfully create audit templates from their account.",
  "id": "GHSA-g5hj-6p24-45c3",
  "modified": "2025-01-16T21:30:55Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2024-56114"
    },
    {
      "type": "WEB",
      "url": "https://www.e-connectsolutions.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5JC-27J7-J57C

Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-13 00:00
VLAI
Details

Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-08T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.",
  "id": "GHSA-g5jc-27j7-j57c",
  "modified": "2022-08-13T00:00:53Z",
  "published": "2022-08-09T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35487"
    },
    {
      "type": "WEB",
      "url": "https://zammad.com/de/advisories/zaa-2022-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.