CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-GG2X-4F8G-8499
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-10-25 19:00An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.
{
"affected": [],
"aliases": [
"CVE-2021-25397"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.",
"id": "GHSA-gg2x-4f8g-8499",
"modified": "2022-10-25T19:00:22Z",
"published": "2022-05-24T19:05:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25397"
},
{
"type": "WEB",
"url": "https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGCW-7GR7-458R
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2026-04-08 18:33The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve and modify settings.
{
"affected": [],
"aliases": [
"CVE-2024-3722"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:42:06Z",
"severity": "MODERATE"
},
"details": "The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve and modify settings.",
"id": "GHSA-ggcw-7gr7-458r",
"modified": "2026-04-08T18:33:11Z",
"published": "2024-05-14T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3722"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/swift-performance-lite/trunk/includes/setup/setup.php#L97"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3082274%40swift-performance-lite\u0026new=3082274%40swift-performance-lite\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58b7736a-e3e0-4ecd-9adf-284568b02ef7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGFQ-85JM-276P
Vulnerability from github – Published: 2023-03-27 15:30 – Updated: 2023-03-30 21:30Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2023-1144"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-27T15:15:00Z",
"severity": "HIGH"
},
"details": "Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.",
"id": "GHSA-ggfq-85jm-276p",
"modified": "2023-03-30T21:30:21Z",
"published": "2023-03-27T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1144"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GGGM-66RH-PP98
Vulnerability from github – Published: 2023-07-25 23:31 – Updated: 2026-01-16 21:51Summary
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Access to information you should not have access to when the permissions rely on $CURRENT_USER for filtering.
Details
The permission filters (i.e. user_created IS $CURRENT_USER) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions.
This can be any collection but out-of-the box the directus_users collection is configured with such a permissions filter allowing you to get updates for other users when changes happen.
An example:
subscription {
directus_users_mutated {
event
data {
id
last_access
last_page
}
}
}
Patches
https://github.com/directus/directus/pull/19155
Workarounds
Disable GraphQL Subscriptions
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38503"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T23:31:10Z",
"nvd_published_at": "2023-07-25T23:15:10Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nCWE-200: Exposure of Sensitive Information to an Unauthorized Actor\nAccess to information you should not have access to when the permissions rely on `$CURRENT_USER` for filtering.\n\n### Details\n\nThe permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions.\nThis can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen.\n\nAn example:\n```graphql\nsubscription {\n directus_users_mutated {\n event\n data {\n id\n last_access\n last_page\n }\n }\n}\n```\n\n### Patches\nhttps://github.com/directus/directus/pull/19155\n\n### Workarounds\nDisable GraphQL Subscriptions\n\n### References",
"id": "GHSA-gggm-66rh-pp98",
"modified": "2026-01-16T21:51:02Z",
"published": "2023-07-25T23:31:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38503"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/pull/19155"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Permission Checking for GraphQL Subscriptions"
}
GHSA-GGJQ-Q4P4-JMG6
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle Contract Lifecycle Management for Public Sector product of Oracle E-Business Suite (component: Award Processes). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Contract Lifecycle Management for Public Sector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Contract Lifecycle Management for Public Sector accessible data as well as unauthorized access to critical data or complete access to all Oracle Contract Lifecycle Management for Public Sector accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21278"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:20Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Contract Lifecycle Management for Public Sector product of Oracle E-Business Suite (component: Award Processes). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Contract Lifecycle Management for Public Sector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Contract Lifecycle Management for Public Sector accessible data as well as unauthorized access to critical data or complete access to all Oracle Contract Lifecycle Management for Public Sector accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-ggjq-q4p4-jmg6",
"modified": "2024-10-15T21:30:39Z",
"published": "2024-10-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21278"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGRF-MJ99-J57M
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to cause denial of service via sending a crafted request to a specific named pipe.
{
"affected": [],
"aliases": [
"CVE-2022-40681"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:12Z",
"severity": "HIGH"
},
"details": "A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to cause denial of service via sending a crafted request to a specific named pipe.",
"id": "GHSA-ggrf-mj99-j57m",
"modified": "2023-11-14T21:31:00Z",
"published": "2023-11-14T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40681"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-299"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GH8F-R8VF-7VQV
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30534"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in iFrameSandbox in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.",
"id": "GHSA-gh8f-r8vf-7vqv",
"modified": "2022-05-24T19:04:11Z",
"published": "2022-05-24T19:04:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30534"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1151507"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GHC4-35X6-CRW5
Vulnerability from github – Published: 2026-03-10 18:30 – Updated: 2026-04-13 17:291. Summary
The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.
2. Attack Scenario
Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.
Configuration
The Envoy proxy is configured with a Deny rule to reject requests containing the header internal: true.
* Rule Type: Exact Match
* Target: internal header must not equal true.
The Bypass Logic
-
Standard Request (Blocked):
- Input:
internal: true - Envoy Processing: Sees string
"true". - Result: Match found. Request Denied.
- Input:
-
Exploit Request (Bypassed):
- Input:
http internal: true internal: true - Envoy Processing: Concatenates values into
"true,true". - Matcher Evaluation: Does
"true,true"equal"true"? No. - Result: The Deny rule fails to trigger. Request Allowed.
- Input:
3. Implications
- RBAC Bypass: Remote attackers can bypass configured access controls.
- Unauthorized Access: Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.
- Risk: High, particularly for deployments relying on "Exact Match" strategies for security blocking.
4. Reproduction Steps
To verify this vulnerability:
- Deploy Envoy: Configure an instance with an RBAC Deny rule that performs an exact match on a specific header (e.g.,
internal: true). - Baseline Test: Send a request containing the header
internal: true.- Observation: Envoy blocks this request (HTTP 403).
- Exploit Test: Send a second request containing the same header twice:
http GET /restricted-resource HTTP/1.1 Host: example.com internal: true internal: true- Observation: Envoy allows the request, granting access to the resource.
6. Recommendations
Fix Header Validation Logic:
Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of getAllOfHeaderAsString() for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.
** Examine the DENY role to use a Regex style fix.
Credit: Dor Konis
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.37.0"
},
{
"fixed": "1.37.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.37.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.36.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.35.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0"
},
{
"fixed": "1.35.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.34.12"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.34.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26308"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T18:30:42Z",
"nvd_published_at": "2026-03-10T20:16:35Z",
"severity": "HIGH"
},
"details": "## 1. Summary\nThe Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.\n\n## 2. Attack Scenario\nConsider an environment where an administrator wants to block external access to internal resources using a specific header flag.\n\n### Configuration\nThe Envoy proxy is configured with a **Deny** rule to reject requests containing the header `internal: true`.\n* **Rule Type:** Exact Match\n* **Target:** `internal` header must not equal `true`.\n\n### The Bypass Logic\n1. **Standard Request (Blocked):**\n * **Input:** `internal: true`\n * **Envoy Processing:** Sees string `\"true\"`.\n * **Result:** Match found. **Request Denied.**\n\n2. **Exploit Request (Bypassed):**\n * **Input:**\n ```http\n internal: true\n internal: true\n ```\n * **Envoy Processing:** Concatenates values into `\"true,true\"`.\n * **Matcher Evaluation:** Does `\"true,true\"` equal `\"true\"`? **No.**\n * **Result:** The Deny rule fails to trigger. **Request Allowed.**\n\n## 3. Implications\n* **RBAC Bypass:** Remote attackers can bypass configured access controls.\n* **Unauthorized Access:** Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.\n* **Risk:** High, particularly for deployments relying on \"Exact Match\" strategies for security blocking.\n\n## 4. Reproduction Steps\nTo verify this vulnerability:\n\n1. **Deploy Envoy:** Configure an instance with an RBAC **Deny** rule that performs an **exact match** on a specific header (e.g., `internal: true`).\n2. **Baseline Test:** Send a request containing the header `internal: true`.\n * *Observation:* Envoy blocks this request (HTTP 403).\n3. **Exploit Test:** Send a second request containing the same header twice:\n ```http\n GET /restricted-resource HTTP/1.1\n Host: example.com\n internal: true\n internal: true\n ```\n * *Observation:* Envoy allows the request, granting access to the resource.\n\n## 6. Recommendations\n**Fix Header Validation Logic:**\nModify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of `getAllOfHeaderAsString()` for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.\n\n** Examine the DENY role to use a Regex style fix.\n\n**Credit:** Dor Konis",
"id": "GHSA-ghc4-35x6-crw5",
"modified": "2026-04-13T17:29:34Z",
"published": "2026-03-10T18:30:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26308"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/envoy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation"
}
GHSA-GHF3-4F69-3865
Vulnerability from github – Published: 2024-11-25 21:30 – Updated: 2024-12-04 18:32Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users.
{
"affected": [],
"aliases": [
"CVE-2024-50671"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-25T21:15:19Z",
"severity": "MODERATE"
},
"details": "Incorrect access control in Adapt Learning Adapt Authoring Tool \u003c= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the \"Get users\" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users.",
"id": "GHSA-ghf3-4f69-3865",
"modified": "2024-12-04T18:32:35Z",
"published": "2024-11-25T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50671"
},
{
"type": "WEB",
"url": "https://github.com/adaptlearning/adapt_authoring"
},
{
"type": "WEB",
"url": "https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2024-50671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHHF-PPFF-F3PR
Vulnerability from github – Published: 2026-03-05 03:31 – Updated: 2026-03-09 21:31The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory.
{
"affected": [],
"aliases": [
"CVE-2026-29127"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T03:15:54Z",
"severity": "CRITICAL"
},
"details": "The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor\u00a0user\u0027s home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory.",
"id": "GHSA-ghhf-ppff-f3pr",
"modified": "2026-03-09T21:31:33Z",
"published": "2026-03-05T03:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29127"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns"
},
{
"type": "WEB",
"url": "https://www.abdulmhsblog.com/posts/spfx-vulnrabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.