CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5502 vulnerabilities reference this CWE, most recent first.
GHSA-H4HQ-RGVH-WH27
Vulnerability from github – Published: 2026-03-04 20:13 – Updated: 2026-03-04 20:13Summary
Testing confirmed that even when a Manager has manage=false for a given collection, they can still perform the following management operations as long as they have access to the collection:
PUT /api/organizations/<org_id>/collections/<col_id>succeeds (HTTP 200)PUT /api/organizations/<org_id>/collections/<col_id>/userssucceeds (HTTP 200)DELETE /api/organizations/<org_id>/collections/<col_id>succeeds (HTTP 200)
Description
- The Manager guard checks only whether the user can access the collection, not whether they have
manageprivileges. This check is directly applied to management endpoints. src/auth.rs:816 ```rust
if !Collection::can_access_collection(&headers.membership, &col_id, &conn).await { err_handler!("The current user isn't a manager for this collection") } ```
- The
can_access_collectionfunction does not evaluate themanageflag. src/db/models/collection.rs:140
```rust
pub async fn can_access_collection(member: &Membership, col_id: &CollectionId, conn: &DbConn) -> bool { member.has_status(MembershipStatus::Confirmed) && (member.has_full_access() || CollectionUser::has_access_to_collection_by_user(col_id, &member.user_uuid, conn).await || ... ```
- A separate management-permission check exists and includes
managevalidation, but it is not used during authorization for the affected endpoints. src/db/models/collection.rs:516
```rust
pub async fn is_manageable_by_user(&self, user_uuid: &UserId, conn: &DbConn) -> bool { let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, &self.org_uuid, conn).await else { return false; }; if member.has_full_access() { return true; } ... ```
- The actual update and deletion endpoints only accept
ManagerHeadersand do not perform additionalmanagechecks. src/api/core/organizations.rs:608
async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)
src/api/core/organizations.rs:890
async fn put_collection_users(..., headers: ManagerHeaders, ...)
src/api/core/organizations.rs:747
rust
async fn delete_organization_collection(..., headers: ManagerHeaders, ...)
Preconditions
- The attacker is a Manager within the target organization.
- The attacker has access to the target collection (
assigned=true). - The attacker’s permission for that collection is
manage=false. - A valid API access token has been obtained.
Steps to Reproduce
-
Confirm that the attacker’s current permissions for the target collection include
manage=false. -
As a control test, verify that update operations fail for collections the attacker cannot access.
-
Confirm that update operations succeed for the target collection where
manage=false. -
Use
PUT /collections/{col_id}/usersto setmanage=true, confirming that the attacker can escalate their own privileges. -
Verify that deletion of the collection succeeds despite the Manager lacking management rights.
Required Minimum Privileges
- Organization Manager role (Owner/Admin privileges are not required)
- Works even with
access_all=false - Only access rights to the target collection are required (
manageprivilege is not required)
Attack Scenario
A restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to manage=true, and even delete the collection.
This allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.
Potential Impact
- Confidentiality: Expansion of access scope through unauthorized privilege escalation and configuration changes.
- Integrity: Unauthorized modification of collection settings and assignments; potential disabling of access controls.
- Availability: Deletion of collections may disrupt business operations.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.35.3"
},
"package": {
"ecosystem": "crates.io",
"name": "vaultwarden"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.35.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27803"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T20:13:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nTesting confirmed that even when a Manager has `manage=false` for a given collection, they can still perform the following management operations as long as they have access to the collection:\n\n* `PUT /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e` succeeds (HTTP 200)\n* `PUT /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e/users` succeeds (HTTP 200)\n* `DELETE /api/organizations/\u003corg_id\u003e/collections/\u003ccol_id\u003e` succeeds (HTTP 200)\n\n\n\n## Description\n\n* The Manager guard checks only whether the user **can access the collection**, not whether they have `manage` privileges. This check is directly applied to management endpoints.\nsrc/auth.rs:816\n ```rust\n\n if !Collection::can_access_collection(\u0026headers.membership, \u0026col_id, \u0026conn).await {\n err_handler!(\"The current user isn\u0027t a manager for this collection\")\n }\n ```\n\n* The `can_access_collection` function does **not** evaluate the `manage` flag.\n src/db/models/collection.rs:140\n\n ```rust\n\n pub async fn can_access_collection(member: \u0026Membership, col_id: \u0026CollectionId, conn: \u0026DbConn) -\u003e bool {\n member.has_status(MembershipStatus::Confirmed)\n \u0026\u0026 (member.has_full_access()\n || CollectionUser::has_access_to_collection_by_user(col_id, \u0026member.user_uuid, conn).await\n || ...\n ```\n\n* A separate management-permission check exists and includes `manage` validation, but it is **not used** during authorization for the affected endpoints.\n src/db/models/collection.rs:516\n\n ```rust\n\n pub async fn is_manageable_by_user(\u0026self, user_uuid: \u0026UserId, conn: \u0026DbConn) -\u003e bool {\n let Some(member) = Membership::find_confirmed_by_user_and_org(user_uuid, \u0026self.org_uuid, conn).await else {\n return false;\n };\n if member.has_full_access() {\n return true;\n }\n ...\n ```\n\n* The actual update and deletion endpoints only accept `ManagerHeaders` and do not perform additional `manage` checks.\n src/api/core/organizations.rs:608\n\n```rust\n async fn put_organization_collection_update(..., headers: ManagerHeaders, ...)\n```\n\n src/api/core/organizations.rs:890\n\n```rust\n async fn put_collection_users(..., headers: ManagerHeaders, ...)\n```\n \n\nsrc/api/core/organizations.rs:747\n\n```rust\n async fn delete_organization_collection(..., headers: ManagerHeaders, ...)\n ```\n\n\n\n## Preconditions\n\n* The attacker is a **Manager** within the target organization.\n* The attacker has access to the target collection (`assigned=true`).\n* The attacker\u2019s permission for that collection is `manage=false`.\n* A valid API access token has been obtained.\n\n\n\n## Steps to Reproduce\n\n1. Confirm that the attacker\u2019s current permissions for the target collection include `manage=false`.\n\u003cimg width=\"2015\" height=\"636\" alt=\"image\" src=\"https://github.com/user-attachments/assets/58ddc733-e37c-4766-a980-b1ea1918ceb4\" /\u003e\n\n2. As a control test, verify that update operations fail for collections the attacker cannot access.\n\u003cimg width=\"2021\" height=\"852\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d8699442-2dfc-4d73-8940-ec10f4a175f0\" /\u003e\n\n3. Confirm that update operations succeed for the target collection where `manage=false`.\n\u003cimg width=\"2013\" height=\"690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/33d9845d-d18e-456c-a58c-e780911347a9\" /\u003e\n\n4. Use `PUT /collections/{col_id}/users` to set `manage=true`, confirming that the attacker can escalate their own privileges.\n\u003cimg width=\"2018\" height=\"488\" alt=\"image\" src=\"https://github.com/user-attachments/assets/da8c5246-cf2a-46c2-9a25-e99d907f852d\" /\u003e\n\n5. Verify that deletion of the collection succeeds despite the Manager lacking management rights.\n\u003cimg width=\"2018\" height=\"487\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a97c8fb2-4f97-4c2a-a90b-9d95dbde84fd\" /\u003e\n\n\n\n## Required Minimum Privileges\n\n* Organization Manager role (Owner/Admin privileges are not required)\n* Works even with `access_all=false`\n* Only access rights to the target collection are required (`manage` privilege is not required)\n\n\n\n## Attack Scenario\n\nA restricted Manager (intended for read/use-only access) directly invokes the API to update collection settings, elevate their own privileges to `manage=true`, and even delete the collection.\n\nThis allows the user to bypass operational access restrictions and effectively gain administrator-equivalent control over the collection.\n\n\n\n## Potential Impact\n\n* **Confidentiality:** Expansion of access scope through unauthorized privilege escalation and configuration changes.\n* **Integrity:** Unauthorized modification of collection settings and assignments; potential disabling of access controls.\n* **Availability:** Deletion of collections may disrupt business operations.",
"id": "GHSA-h4hq-rgvh-wh27",
"modified": "2026-03-04T20:13:44Z",
"published": "2026-03-04T20:13:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h4hq-rgvh-wh27"
},
{
"type": "PACKAGE",
"url": "https://github.com/dani-garcia/vaultwarden"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Vaultwarden\u0027s Collection Management Operations Allowed Without `manage` Verification for Manager Role"
}
GHSA-H4JX-HJR3-FHGC
Vulnerability from github – Published: 2026-03-29 15:49 – Updated: 2026-04-18 00:44Summary
Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Gateway plugin subagent fallback deleteSession previously dispatched sessions.delete with a synthetic operator.admin runtime scope when no request-scoped client existed. Commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7 binds deletion to the caller scope instead of minting admin scope.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7.
Fix Commit(s)
b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35645"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-648",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:49:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nGateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`.\n\n## Fix Commit(s)\n\n- `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`",
"id": "GHSA-h4jx-hjr3-fhgc",
"modified": "2026-04-18T00:44:19Z",
"published": "2026-03-29T15:49:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`"
}
GHSA-H4QV-P2J9-74CQ
Vulnerability from github – Published: 2026-06-16 06:30 – Updated: 2026-06-16 06:30The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.
{
"affected": [],
"aliases": [
"CVE-2026-5149"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T06:16:58Z",
"severity": "MODERATE"
},
"details": "The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.",
"id": "GHSA-h4qv-p2j9-74cq",
"modified": "2026-06-16T06:30:24Z",
"published": "2026-06-16T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5149"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L22"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L29"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3568335/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7\u0026new_path=%2Frometheme-for-elementor/tags/2.0.8"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1fe363b2-8c70-45cd-9fdc-8979f894efd8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H4RF-98JG-F337
Vulnerability from github – Published: 2022-11-18 00:30 – Updated: 2022-11-22 18:30Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
{
"affected": [],
"aliases": [
"CVE-2022-42903"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-17T22:15:00Z",
"severity": "LOW"
},
"details": "Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.",
"id": "GHSA-h4rf-98jg-f337",
"modified": "2022-11-22T18:30:14Z",
"published": "2022-11-18T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42903"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/support-center/cve-2022-42903.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H4RR-F37J-4HH7
Vulnerability from github – Published: 2025-04-16 09:32 – Updated: 2025-04-23 15:17Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250314142426-c049748b8863"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27571"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-16T14:53:24Z",
"nvd_published_at": "2025-04-16T08:15:14Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.5.x \u003c= 10.5.1, 10.4.x \u003c= 10.4.3, 9.11.x \u003c= 9.11.9 fail to check the \"Allow Users to View Archived Channels\" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.",
"id": "GHSA-h4rr-f37j-4hh7",
"modified": "2025-04-23T15:17:14Z",
"published": "2025-04-16T09:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27571"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/341186355d982ac4cbe37668d7cdb0cf6275fe44"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/629f68a85dd6ed5ba0c51a9356c3a3200f50657f"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/8e82d8df61068fc56b0f3e51ef1cc947bc87cec1"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/ae8a952bcaaa5f77a92043e2538f625eac72e927"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/c6f6b664811795f36b9cf05b0e2b537c44c65bc1"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3619"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Incorrect Authorization vulnerability"
}
GHSA-H4VJ-JQ9J-FRQV
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2024-04-03 23:58The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2013-4228"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-18T19:15:00Z",
"severity": "MODERATE"
},
"details": "The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.",
"id": "GHSA-h4vj-jq9j-frqv",
"modified": "2024-04-03T23:58:15Z",
"published": "2022-05-05T00:29:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4228"
},
{
"type": "WEB",
"url": "https://drupal.org/node/2059755"
},
{
"type": "WEB",
"url": "https://drupal.org/node/2059765"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86328"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/08/10/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/61708"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H52P-Q8H5-PVQJ
Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30Vulnerability in the Oracle Life Sciences Argus Safety product of Oracle Health Sciences Applications (component: Login). The supported version that is affected is 8.2.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Argus Safety. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Life Sciences Argus Safety, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Argus Safety accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Argus Safety accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-21570"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T21:15:24Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Life Sciences Argus Safety product of Oracle Health Sciences Applications (component: Login). The supported version that is affected is 8.2.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Argus Safety. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Life Sciences Argus Safety, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Argus Safety accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Argus Safety accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).",
"id": "GHSA-h52p-q8h5-pvqj",
"modified": "2025-01-21T21:30:56Z",
"published": "2025-01-21T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21570"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H557-XRRH-37XW
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-06-29 00:00An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s account.
{
"affected": [],
"aliases": [
"CVE-2021-22155"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-13T00:15:00Z",
"severity": "HIGH"
},
"details": "An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user\u2019s account.",
"id": "GHSA-h557-xrrh-37xw",
"modified": "2022-06-29T00:00:44Z",
"published": "2022-05-24T22:28:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22155"
},
{
"type": "WEB",
"url": "https://support.blackberry.com/kb/articleDetail?articleNumber=000078926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H55P-3MG5-547M
Vulnerability from github – Published: 2023-03-31 18:30 – Updated: 2025-02-18 18:33An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.
{
"affected": [],
"aliases": [
"CVE-2023-26829"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-31T16:15:00Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.",
"id": "GHSA-h55p-3mg5-547m",
"modified": "2025-02-18T18:33:03Z",
"published": "2023-03-31T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26829"
},
{
"type": "WEB",
"url": "https://www.whiteoaksecurity.com/blog/centrestack-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H56X-6FP7-752G
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:00In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-177927831
{
"affected": [],
"aliases": [
"CVE-2021-0686"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T15:15:00Z",
"severity": "MODERATE"
},
"details": "In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-177927831",
"id": "GHSA-h56x-6fp7-752g",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:16:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0686"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.