CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-RX5F-42WM-7P9J
Vulnerability from github – Published: 2023-06-29 03:30 – Updated: 2024-04-04 05:16The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
{
"affected": [],
"aliases": [
"CVE-2023-2982"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-29T02:15:16Z",
"severity": "CRITICAL"
},
"details": "The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.",
"id": "GHSA-rx5f-42wm-7p9j",
"modified": "2024-04-04T05:16:58Z",
"published": "2023-06-29T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2982"
},
{
"type": "WEB",
"url": "https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2PC-R36H-F9FX
Vulnerability from github – Published: 2025-11-06 18:32 – Updated: 2026-01-20 15:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.This issue affects Search & Go: from n/a through <= 2.7.
{
"affected": [],
"aliases": [
"CVE-2025-62064"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T16:16:12Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search \u0026 Go search-and-go allows Password Recovery Exploitation.This issue affects Search \u0026 Go: from n/a through \u003c= 2.7.",
"id": "GHSA-v2pc-r36h-f9fx",
"modified": "2026-01-20T15:31:55Z",
"published": "2025-11-06T18:32:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62064"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3G8-VRXX-MRHP
Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-11-04 18:31The issue was addressed by adding additional logic. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a device may be able to disable Stolen Device Protection.
{
"affected": [],
"aliases": [
"CVE-2025-43422"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T02:15:48Z",
"severity": "MODERATE"
},
"details": "The issue was addressed by adding additional logic. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a device may be able to disable Stolen Device Protection.",
"id": "GHSA-v3g8-vrxx-mrhp",
"modified": "2025-11-04T18:31:52Z",
"published": "2025-11-04T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43422"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V4MR-PQHX-VPM2
Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-10-22 00:33An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
{
"affected": [],
"aliases": [
"CVE-2024-55591"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T14:15:34Z",
"severity": "CRITICAL"
},
"details": "An\u00a0Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to\u00a0Node.js websocket module.",
"id": "GHSA-v4mr-pqhx-vpm2",
"modified": "2025-10-22T00:33:11Z",
"published": "2025-01-14T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55591"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-535"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-55591"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7PW-9CMM-88M6
Vulnerability from github – Published: 2023-09-06 18:30 – Updated: 2025-10-22 00:32A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following:
Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).
Notes:
Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.
Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-20269"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T18:15:08Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.\n\n This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following:\n\n \n Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.\n Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).\n \n Notes:\n\n \n Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured.\n This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured.\n \n Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.",
"id": "GHSA-v7pw-9cmm-88m6",
"modified": "2025-10-22T00:32:51Z",
"published": "2023-09-06T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20269"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V7R3-HXVJ-7W2P
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-19 21:31Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
{
"affected": [],
"aliases": [
"CVE-2025-13018"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T16:15:38Z",
"severity": "HIGH"
},
"details": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 145 and Firefox ESR \u003c 140.5.",
"id": "GHSA-v7r3-hxvj-7w2p",
"modified": "2025-11-19T21:31:17Z",
"published": "2025-11-11T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13018"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V865-P3GQ-HW6M
Vulnerability from github – Published: 2026-03-03 21:25 – Updated: 2026-03-30 13:21Summary (Updated March 2, 2026)
Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/* due to canonicalization depth mismatch in vulnerable builds.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.1 - Affected range:
<= 2026.3.1 - Patched release:
2026.3.2(patched_versions: >= 2026.3.2)
Technical Details
In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling.
The fix set hardens this class of issue by: - canonicalizing route paths to a bounded fixpoint, - failing closed on malformed or unresolved canonicalization depth, - requiring explicit plugin-route auth contracts (no implicit auth default), - enforcing route ownership/conflict guards for duplicate route registrations, and - using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces.
Affected Deployments
Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/* protection.
Fix Commit(s)
93b07240257919f770d1e263e1f22753937b80ea2fd8264ab03bd178e62a5f0c50d1c8556c17f12dd74bc257d8432f17e50b23ae713d7e0623a1fe0f7a7eee920a176a0043398c6b37bf4cc6eb983eeb
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32004"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:25:52Z",
"nvd_published_at": "2026-03-19T22:16:32Z",
"severity": "HIGH"
},
"details": "### Summary (Updated March 2, 2026)\nEncoded alternate-path requests could bypass plugin route auth checks for `/api/channels/*` due to canonicalization depth mismatch in vulnerable builds.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.1`\n- Affected range: `\u003c= 2026.3.1`\n- Patched release: `2026.3.2` (`patched_versions: \u003e= 2026.3.2`)\n\n### Technical Details\nIn affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded `%2f`). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to `/api/channels/...` in plugin route handling.\n\nThe fix set hardens this class of issue by:\n- canonicalizing route paths to a bounded fixpoint,\n- failing closed on malformed or unresolved canonicalization depth,\n- requiring explicit plugin-route auth contracts (no implicit auth default),\n- enforcing route ownership/conflict guards for duplicate route registrations, and\n- using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces.\n\n### Affected Deployments\nDeployments exposing plugin HTTP routes and relying on gateway auth for `/api/channels/*` protection.\n\n### Fix Commit(s)\n- `93b07240257919f770d1e263e1f22753937b80ea`\n- `2fd8264ab03bd178e62a5f0c50d1c8556c17f12d`\n- `d74bc257d8432f17e50b23ae713d7e0623a1fe0f`\n- `7a7eee920a176a0043398c6b37bf4cc6eb983eeb`",
"id": "GHSA-v865-p3gq-hw6m",
"modified": "2026-03-30T13:21:06Z",
"published": "2026-03-03T21:25:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32004"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-path-in-api-channels-route"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification"
}
GHSA-V988-828W-XVF2
Vulnerability from github – Published: 2021-10-22 16:21 – Updated: 2021-10-21 21:36Impact
rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.
Rucio server / daemons are not affected by this issue, it is isolated to the webui.
Patches
This issue is fixed in the 1.26.7 release of the rucio-webui.
Workarounds
Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.
References
https://github.com/rucio/rucio/issues/4928
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rucio-webui"
},
"ranges": [
{
"events": [
{
"introduced": "1.26.0"
},
{
"fixed": "1.26.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-21T21:36:22Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n`rucio-webui` installations of the `1.26` release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the `webui` within a close timeframe, thus allowing users to access the `webui` with the leaked authentication token. Privileges are therefore also escalated.\n\nRucio server / daemons are not affected by this issue, it is isolated to the webui.\n\n### Patches\nThis issue is fixed in the `1.26.7` release of the `rucio-webui`.\n\n### Workarounds\nInstallation of the `1.25.7` `webui` release. The `1.25` and previous webui release lines are not affected by this issue.\n\n### References\nhttps://github.com/rucio/rucio/issues/4928",
"id": "GHSA-v988-828w-xvf2",
"modified": "2021-10-21T21:36:22Z",
"published": "2021-10-22T16:21:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-v988-828w-xvf2"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/issues/4810"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/issues/4928"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/commit/8f832404ae88d6300e17d7e706b40fe58e0df90c"
},
{
"type": "PACKAGE",
"url": "https://github.com/rucio/rucio"
},
{
"type": "WEB",
"url": "https://github.com/rucio/rucio/releases/tag/1.26.7"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Authentication Bypass Using an Alternate Path or Channel and Authentication Bypass by Primary Weakness in rucio-webui"
}
GHSA-VC38-C3PM-PR72
Vulnerability from github – Published: 2025-10-06 09:30 – Updated: 2025-10-06 09:30The credentials of the users stored in the system's local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application.
{
"affected": [],
"aliases": [
"CVE-2025-9914"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-06T07:15:36Z",
"severity": "MODERATE"
},
"details": "The credentials of the users stored in the system\u0027s local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application.",
"id": "GHSA-vc38-c3pm-pr72",
"modified": "2025-10-06T09:30:20Z",
"published": "2025-10-06T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9914"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
},
{
"type": "WEB",
"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCWP-4M7W-HXFH
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-19 21:31Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30.
{
"affected": [],
"aliases": [
"CVE-2025-13013"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T16:15:38Z",
"severity": "MODERATE"
},
"details": "Mitigation bypass in the DOM: Core \u0026 HTML component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, and Firefox ESR \u003c 115.30.",
"id": "GHSA-vcwp-4m7w-hxfh",
"modified": "2025-11-19T21:31:17Z",
"published": "2025-11-11T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13013"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1991945"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-89"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.