Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-J97V-VVWP-6WX4

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

In setBluetoothTethering of PanService.java, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege to activate tethering with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134487438

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In setBluetoothTethering of PanService.java, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege to activate tethering with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134487438",
  "id": "GHSA-j97v-vvwp-6wx4",
  "modified": "2022-05-24T17:10:42Z",
  "published": "2022-05-24T17:10:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0085"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J98H-2C2J-4X2P

Vulnerability from github – Published: 2026-01-14 09:31 – Updated: 2026-04-08 21:33
VLAI
Details

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T07:16:14Z",
    "severity": "MODERATE"
  },
  "details": "The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.",
  "id": "GHSA-j98h-2c2j-4x2p",
  "modified": "2026-04-08T21:33:10Z",
  "published": "2026-01-14T09:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15513"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3444078%40float-gateway\u0026new=3444078%40float-gateway\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J997-WPHJ-QRJ9

Vulnerability from github – Published: 2022-01-20 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller\u0027s permission, in which a third-party app could change system settings.",
  "id": "GHSA-j997-wphj-qrj9",
  "modified": "2022-07-13T00:01:35Z",
  "published": "2022-01-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/Allwinner%20R818%20SoC%EF%BC%9Aaw_display%20service%20has%20EoP%20Vulnerability.md"
    },
    {
      "type": "WEB",
      "url": "https://vul.wangan.com/a/CNVD-2021-46927"
    },
    {
      "type": "WEB",
      "url": "https://www.allwinnertech.com/index.php?c=product\u0026a=index\u0026id=92"
    },
    {
      "type": "WEB",
      "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-46927"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9CG-V2V5-9P35

Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-22 15:34
VLAI
Details

Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.",
  "id": "GHSA-j9cg-v2v5-9p35",
  "modified": "2025-05-22T15:34:42Z",
  "published": "2022-09-27T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3044"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1051198"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/40051481"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9JX-HP4C-GHHH

Vulnerability from github – Published: 2026-06-12 21:53 – Updated: 2026-06-12 21:53
VLAI
Summary
File Browser has incorrect access control for public directory shares via rule path rebasing
Details

Summary

File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.

As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through GET /api/public/share/* and GET /api/public/dl/*.

Details

The public share flow first resolves the original shared path under the owner's filesystem, but then switches d.user.Fs to a new BasePathFs rooted at the shared directory. The follow-up authorization check is still performed by d.Check, which compares the request path to rule strings using prefix matching.

When the share target is a directory, the path passed to d.Check becomes relative to the shared directory, while the rules remain relative to the owner's original scope. A deny rule such as /projects/private therefore no longer matches a public share request for /private/secret.txt, even though the rebased filesystem resolves that request to the real path /projects/private/secret.txt.

Core vulnerable code path:

// http/public.go
if file.IsDir {
    basePath = filepath.Clean(link.Path)
    filePath = ifPath
}

d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)

file, err = files.NewFileInfo(&files.FileOptions{
    Fs:      d.user.Fs,
    Path:    filePath,
    Expand:  true,
    Checker: d,
})
// http/data.go and rules/rules.go
func (d *data) Check(path string) bool {
    allow := true
    for _, rule := range d.settings.Rules {
        if rule.Matches(path) {
            allow = rule.Allow
        }
    }
    for _, rule := range d.user.Rules {
        if rule.Matches(path) {
            allow = rule.Allow
        }
    }
    return allow
}

func (r *Rule) Matches(path string) bool {
    if path == r.Path {
        return true
    }
    prefix := r.Path
    if prefix != "/" && !strings.HasSuffix(prefix, "/") {
        prefix += "/"
    }
    return strings.HasPrefix(path, prefix)
}

The issue is reachable from the public endpoints registered in http/http.go for /api/public/share/* and /api/public/dl/*.

PoC

The attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.

Reproduction flow:

  1. Prepare a directory owned by a normal user, for example /projects/.
  2. Inside it, create a sensitive child path such as /projects/private/secret.txt.
  3. Configure a deny rule for the share owner that blocks /projects/private.
  4. Have the owner create a public share for /projects/.
  5. Request the blocked child path through the public share endpoints.

PoC:

# owner creates a public share for /projects/
curl -s -X POST 'http://HOST/api/share/projects/' \
  -H 'X-Auth: <OWNER_JWT>' \
  -H 'Content-Type: application/json' \
  -d '{}'

The response contains a share hash such as:

{"hash":"<HASH>","path":"/projects/","userID":2,"expire":0}

The attacker can then access a rule-blocked file below the shared directory:

curl -i 'http://HOST/api/public/dl/<HASH>/private/secret.txt'

A blocked subdirectory can also be listed directly:

curl -i 'http://HOST/api/public/share/<HASH>/private/'

the server returns 200 OK and serves the file content or directory listing, even though the share owner's rules should have made that path inaccessible.

Impact

This flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.

In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.63.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.63.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:53:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nFile Browser\u0027s public share handlers rebase the share owner\u0027s filesystem root to the shared directory and then evaluate descendant paths against the owner\u0027s global and per-user rules using the rebased relative path instead of the original path relative to the owner\u0027s scope.\n\nAs a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through `GET /api/public/share/*` and `GET /api/public/dl/*`.\n\n### Details\nThe public share flow first resolves the original shared path under the owner\u0027s filesystem, but then switches `d.user.Fs` to a new `BasePathFs` rooted at the shared directory. The follow-up authorization check is still performed by `d.Check`, which compares the request path to rule strings using prefix matching.\n\nWhen the share target is a directory, the path passed to `d.Check` becomes relative to the shared directory, while the rules remain relative to the owner\u0027s original scope. A deny rule such as `/projects/private` therefore no longer matches a public share request for `/private/secret.txt`, even though the rebased filesystem resolves that request to the real path `/projects/private/secret.txt`.\n\nCore vulnerable code path:\n\n```go\n// http/public.go\nif file.IsDir {\n    basePath = filepath.Clean(link.Path)\n    filePath = ifPath\n}\n\nd.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)\n\nfile, err = files.NewFileInfo(\u0026files.FileOptions{\n    Fs:      d.user.Fs,\n    Path:    filePath,\n    Expand:  true,\n    Checker: d,\n})\n```\n\n```go\n// http/data.go and rules/rules.go\nfunc (d *data) Check(path string) bool {\n    allow := true\n    for _, rule := range d.settings.Rules {\n        if rule.Matches(path) {\n            allow = rule.Allow\n        }\n    }\n    for _, rule := range d.user.Rules {\n        if rule.Matches(path) {\n            allow = rule.Allow\n        }\n    }\n    return allow\n}\n\nfunc (r *Rule) Matches(path string) bool {\n    if path == r.Path {\n        return true\n    }\n    prefix := r.Path\n    if prefix != \"/\" \u0026\u0026 !strings.HasSuffix(prefix, \"/\") {\n        prefix += \"/\"\n    }\n    return strings.HasPrefix(path, prefix)\n}\n```\n\nThe issue is reachable from the public endpoints registered in `http/http.go` for `/api/public/share/*` and `/api/public/dl/*`.\n\n### PoC\nThe attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.\n\nReproduction flow:\n\n1. Prepare a directory owned by a normal user, for example `/projects/`.\n2. Inside it, create a sensitive child path such as `/projects/private/secret.txt`.\n3. Configure a deny rule for the share owner that blocks `/projects/private`.\n4. Have the owner create a public share for `/projects/`.\n5. Request the blocked child path through the public share endpoints.\n\nPoC:\n\n```bash\n# owner creates a public share for /projects/\ncurl -s -X POST \u0027http://HOST/api/share/projects/\u0027 \\\n  -H \u0027X-Auth: \u003cOWNER_JWT\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{}\u0027\n```\n\nThe response contains a share hash such as:\n\n```text\n{\"hash\":\"\u003cHASH\u003e\",\"path\":\"/projects/\",\"userID\":2,\"expire\":0}\n```\n\nThe attacker can then access a rule-blocked file below the shared directory:\n\n```bash\ncurl -i \u0027http://HOST/api/public/dl/\u003cHASH\u003e/private/secret.txt\u0027\n```\n\nA blocked subdirectory can also be listed directly:\n\n```bash\ncurl -i \u0027http://HOST/api/public/share/\u003cHASH\u003e/private/\u0027\n```\n\nthe server returns `200 OK` and serves the file content or directory listing, even though the share owner\u0027s rules should have made that path inaccessible.\n\n### Impact\nThis flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.\n\nIn practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.",
  "id": "GHSA-j9jx-hp4c-ghhh",
  "modified": "2026-06-12T21:53:28Z",
  "published": "2026-06-12T21:53:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-j9jx-hp4c-ghhh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/e07c59df0b850f5924d5b1683e8609661ddcf534"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has incorrect access control for public directory shares via rule path rebasing"
}

GHSA-J9PJ-FF73-Q8XM

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

ntermittent authorization failure in aaa tacacs+ with Brocade Fabric OS versions before Brocade Fabric OS v9.0.1b and after 9.0.0, also in Brocade Fabric OS before Brocade Fabric OS v8.2.3a and after v8.2.0 could cause a user with a valid account to be unable to log into the switch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ntermittent authorization failure in aaa tacacs+ with Brocade Fabric OS versions before Brocade Fabric OS v9.0.1b and after 9.0.0, also in Brocade Fabric OS before Brocade Fabric OS v8.2.3a and after v8.2.0 could cause a user with a valid account to be unable to log into the switch.",
  "id": "GHSA-j9pj-ff73-q8xm",
  "modified": "2022-05-24T19:10:57Z",
  "published": "2022-05-24T19:10:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27793"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210819-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1553"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J9RR-CMHW-QC36

Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2024-04-04 04:42
VLAI
Details

An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-09T20:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue found in Sleep v.20230303 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.",
  "id": "GHSA-j9rr-cmhw-qc36",
  "modified": "2024-04-04T04:42:52Z",
  "published": "2023-06-09T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29761/CVE%20detailed.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC39-686J-WP6Q

Vulnerability from github – Published: 2026-03-24 16:34 – Updated: 2026-03-30 13:51
VLAI
Summary
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Details

Impact

An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent.

Patches

The fix blocks authenticated users from setting expiresAt and createdWith fields when updating a session. Master key and maintenance key operations are not affected.

Workarounds

There is no known workaround other than upgrading.

Resources

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.6.0-alpha.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.57"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T16:34:11Z",
    "nvd_published_at": "2026-03-24T19:16:54Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn authenticated user can overwrite server-generated session fields such as `expiresAt` and `createdWith` when updating their own session via the REST API. This allows bypassing the server\u0027s configured session lifetime policy, making a session effectively permanent.\n\n### Patches\n\nThe fix blocks authenticated users from setting `expiresAt` and `createdWith` fields when updating a session. Master key and maintenance key operations are not affected.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264",
  "id": "GHSA-jc39-686j-wp6q",
  "modified": "2026-03-30T13:51:45Z",
  "published": "2026-03-24T16:34:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33527"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/26b628c8fb3cc79ea955374769eebcff6f8a8a73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/ea68fc0b22a6056c9675149469ff57817f7cf984"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server\u0027s Session Update endpoint allows overwriting server-generated session fields"
}

GHSA-JC4P-P49M-8P2P

Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31
VLAI
Details

SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T08:15:17Z",
    "severity": "MODERATE"
  },
  "details": "SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.",
  "id": "GHSA-jc4p-p49m-8p2p",
  "modified": "2025-04-08T09:31:11Z",
  "published": "2025-04-08T09:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31331"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3577131"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC55-CRG7-PR35

Vulnerability from github – Published: 2021-11-25 00:00 – Updated: 2024-04-25 20:40
VLAI
Summary
EC-CUBE Improper access control in Management screen
Details

Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.17.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ec-cube/ec-cube"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.2"
            },
            {
              "fixed": "2.17.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T20:40:45Z",
    "nvd_published_at": "2021-11-24T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.",
  "id": "GHSA-jc55-crg7-pr35",
  "modified": "2024-04-25T20:40:45Z",
  "published": "2021-11-25T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20841"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EC-CUBE/ec-cube"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN75444925/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.ec-cube.net/info/weakness/20211111"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EC-CUBE Improper access control in Management screen"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.