CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-WX35-29XJ-R29Q
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-44253"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:06Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.",
"id": "GHSA-wx35-29xj-r29q",
"modified": "2026-04-02T21:31:59Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44253"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WX5H-WQFQ-V698
Vulnerability from github – Published: 2025-03-11 15:27 – Updated: 2025-03-12 14:40Impact
Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.
Patches
Will be patched in 10.8.9 and 13.7.1
Workarounds
None available.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.8.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms.Web.Backoffice"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.8.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.7.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms.Web.Backoffice"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-rc1"
},
{
"fixed": "13.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27602"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-11T15:27:34Z",
"nvd_published_at": "2025-03-11T16:15:18Z",
"severity": "MODERATE"
},
"details": "### Impact\nVia manipulation of backoffice API URLs it\u0027s possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.\n\n### Patches\nWill be patched in 10.8.9 and 13.7.1\n\n### Workarounds\nNone available.",
"id": "GHSA-wx5h-wqfq-v698",
"modified": "2025-03-12T14:40:32Z",
"published": "2025-03-11T15:27:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27602"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content"
}
GHSA-WXH7-CRXJ-886H
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-10-14 12:00Linear eMerge E3-Series devices allow Privilege Escalation.
{
"affected": [],
"aliases": [
"CVE-2019-7258"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-02T19:15:00Z",
"severity": "HIGH"
},
"details": "Linear eMerge E3-Series devices allow Privilege Escalation.",
"id": "GHSA-wxh7-crxj-886h",
"modified": "2022-10-14T12:00:22Z",
"published": "2022-05-24T22:00:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7258"
},
{
"type": "WEB",
"url": "https://applied-risk.com/labs/advisories"
},
{
"type": "WEB",
"url": "https://www.applied-risk.com/resources/ar-2019-005"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155260/Linear-eMerge-E3-1.00-06-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXP5-9W64-PP68
Vulnerability from github – Published: 2023-08-24 06:30 – Updated: 2024-04-04 07:10A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device.
{
"affected": [],
"aliases": [
"CVE-2023-4227"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-489",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T06:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device.\n\n",
"id": "GHSA-wxp5-9w64-pp68",
"modified": "2024-04-04T07:10:20Z",
"published": "2023-08-24T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4227"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXQP-JWC9-G39X
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2024-04-23 22:30Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "8.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "8.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13665"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T22:30:43Z",
"nvd_published_at": "2021-05-05T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.",
"id": "GHSA-wxqp-jwc9-g39x",
"modified": "2024-04-23T22:30:43Z",
"published": "2022-05-24T17:49:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13665"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13665.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13665.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2020-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Drupal Core Access bypass vulnerability"
}
GHSA-WXV8-VQC5-V4J2
Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-15 00:01A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to insufficient access control in the affected CLI. An attacker could exploit this vulnerability by authenticating as a CEE ConfD CLI user and executing a specific CLI command. A successful exploit could allow an attacker to access privileged containers with root privileges.
{
"affected": [],
"aliases": [
"CVE-2022-20762"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-06T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to insufficient access control in the affected CLI. An attacker could exploit this vulnerability by authenticating as a CEE ConfD CLI user and executing a specific CLI command. A successful exploit could allow an attacker to access privileged containers with root privileges.",
"id": "GHSA-wxv8-vqc5-v4j2",
"modified": "2022-04-15T00:01:05Z",
"published": "2022-04-07T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20762"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccsmi-prvesc-BQHGe4cm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXVP-5PM4-8849
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.
{
"affected": [],
"aliases": [
"CVE-2021-42002"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-11T05:15:00Z",
"severity": "CRITICAL"
},
"details": "Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.",
"id": "GHSA-wxvp-5pm4-8849",
"modified": "2022-07-13T00:01:42Z",
"published": "2022-05-24T19:20:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42002"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/ad-manager/release-notes.html#7115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXX5-W9JC-48WX
Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 22:02Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.pebbletemplates:pebble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37767"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:27:25Z",
"nvd_published_at": "2022-09-12T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok.",
"id": "GHSA-wxx5-w9jc-48wx",
"modified": "2022-09-16T22:02:16Z",
"published": "2022-09-13T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37767"
},
{
"type": "WEB",
"url": "https://github.com/PebbleTemplates/pebble/issues/625#issuecomment-1282138635"
},
{
"type": "WEB",
"url": "https://github.com/Y4tacker/Web-Security/issues/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pebble Templates protection mechanism bypass can lead to arbitrary code execution"
}
GHSA-X234-X5VQ-CC2V
Vulnerability from github – Published: 2026-04-21 15:00 – Updated: 2026-04-27 16:20Summary
A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.
Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.
Details
The application exposes an account-level disable control through the users management API. Login process correctly enforces that control: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31
However, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking user.Status.):
https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139
There’s also no token revocation feature, unlike when a password is changed: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51
As a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.
PoC
The issue was validated with version 2.3.3 using the uozi/nginx-ui:sha-c92ec0a docker image.
View the PoC video:
https://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd
Impact
Administrators who rely on "disable user" as an authentication or authorization control can be bypassed.
The disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10-0.20260314152518-7b66578adb47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33031"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T15:00:44Z",
"nvd_published_at": "2026-04-20T21:16:32Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user\u2019s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.\n\nSince tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.\n\n### Details\n\nThe application exposes an account-level disable control through the users management API. Login process correctly enforces that control:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31\n\nHowever, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking `user.Status`.):\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139\n\nThere\u2019s also no token revocation feature, unlike when a password is changed:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51\n\nAs a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.\n\n### PoC\n\nThe issue was validated with version 2.3.3 using the `uozi/nginx-ui:sha-c92ec0a` docker image.\n\nView the PoC video:\n\n\nhttps://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd\n\n\n\n### Impact\n\nAdministrators who rely on \"disable user\" as an authentication or authorization control can be bypassed.\n\nThe disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.",
"id": "GHSA-x234-x5vq-cc2v",
"modified": "2026-04-27T16:20:27Z",
"published": "2026-04-21T15:00:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33031"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/commit/7b66578adb47bbec839b621a4666495249379174"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nginx-UI: Disabled users retain full API access through previously issued bearer tokens"
}
GHSA-X24J-87X9-JVV5
Vulnerability from github – Published: 2021-11-03 17:34 – Updated: 2022-08-11 22:06In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow it. This happens due to front-end restriction only.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "publify_core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0.pre1"
},
{
"fixed": "9.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25973"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-669",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-03T14:44:37Z",
"nvd_published_at": "2021-11-02T07:15:00Z",
"severity": "MODERATE"
},
"details": "In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. `guest` role users can self-register even when the admin does not allow it. This happens due to front-end restriction only.",
"id": "GHSA-x24j-87x9-jvv5",
"modified": "2022-08-11T22:06:27Z",
"published": "2021-11-03T17:34:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25973"
},
{
"type": "WEB",
"url": "https://github.com/publify/publify/commit/3447e0241e921b65f6eb1090453d8ea73e98387e"
},
{
"type": "WEB",
"url": "https://github.com/publify/publify"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2021-25973.yml"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Publify `guest` role users can self-register even when the admin does not allow it"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.