Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-25G9-6GWC-GV6W

Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T17:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.",
  "id": "GHSA-25g9-6gwc-gv6w",
  "modified": "2025-05-21T18:33:31Z",
  "published": "2025-05-21T18:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48011"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-062"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25P4-XQ52-Q9PW

Vulnerability from github – Published: 2024-10-01 09:30 – Updated: 2024-10-01 09:30
VLAI
Details

The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T08:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.",
  "id": "GHSA-25p4-xq52-q9pw",
  "modified": "2024-10-01T09:30:49Z",
  "published": "2024-10-01T09:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9106"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wechat-social-login/trunk/add-ons/social-qq/class-xh-social-channel-qq.php?rev=2080785#L284"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bd44471-1a9c-4465-a52a-be64d51e7ea1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-266V-Q3GX-4VX4

Vulnerability from github – Published: 2024-10-28 12:30 – Updated: 2026-04-01 18:32
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T12:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1.",
  "id": "GHSA-266v-q3gx-4vx4",
  "modified": "2026-04-01T18:32:09Z",
  "published": "2024-10-28T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50487"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/maanstore-api/vulnerability/wordpress-maanstore-api-plugin-1-0-1-account-takeover-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/maanstore-api/wordpress-maanstore-api-plugin-1-0-1-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-267C-6GRR-H53F

Vulnerability from github – Published: 2026-05-11 15:54 – Updated: 2026-05-14 20:38
VLAI
Summary
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Details

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.2.0"
            },
            {
              "fixed": "15.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T15:54:24Z",
    "nvd_published_at": "2026-05-13T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nApp Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.\n\n### Fix\n\nWe now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.\n\n### Workarounds\n\nIf you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.",
  "id": "GHSA-267c-6grr-h53f",
  "modified": "2026-05-14T20:38:08Z",
  "published": "2026-05-11T15:54:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44575"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes"
}

GHSA-26HH-7CQF-HHC6

Vulnerability from github – Published: 2026-05-11 16:21 – Updated: 2026-05-14 20:39
VLAI
Summary
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
Details

Impact

It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.2.0"
            },
            {
              "fixed": "15.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:21:19Z",
    "nvd_published_at": "2026-05-13T18:16:19Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n\nIt was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer to  [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) for further details.\n\n### References \n\n- [CVE CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f)",
  "id": "GHSA-26hh-7cqf-hhc6",
  "modified": "2026-05-14T20:39:01Z",
  "published": "2026-05-11T16:21:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45109"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up"
}

GHSA-27QR-6RGM-2F59

Vulnerability from github – Published: 2025-08-28 00:30 – Updated: 2025-09-09 15:31
VLAI
Details

An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-27T22:15:57Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.",
  "id": "GHSA-27qr-6rgm-2f59",
  "modified": "2025-09-09T15:31:17Z",
  "published": "2025-08-28T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34520"
    },
    {
      "type": "WEB",
      "url": "https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-27VM-5VPJ-RP5G

Vulnerability from github – Published: 2026-04-27 12:30 – Updated: 2026-05-05 21:38
VLAI
Summary
Apache Camel Vulnerable to Authentication Bypass Using an Alternate Path or Channel
Details

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at path* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/route or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information.

This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-platform-http-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.14.1"
            },
            {
              "fixed": "4.14.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-platform-http-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.18.0"
            },
            {
              "fixed": "4.18.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-platform-http-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.19.0"
            },
            {
              "fixed": "4.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:38:59Z",
    "nvd_published_at": "2026-04-27T10:16:09Z",
    "severity": "HIGH"
  },
  "details": "When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information.\n\nThis issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.",
  "id": "GHSA-27vm-5vpj-rp5g",
  "modified": "2026-05-05T21:38:59Z",
  "published": "2026-04-27T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/22474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/22475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/pull/22476"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/6ec12cbebfc1b6360cdaac1c1f8c681864911695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/7b5b8c0283c0ab8d703d868ded7614018762a553"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/a9ebee94af976ac2afd7906d2e76673067d8be86"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2026-40022.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/camel"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/26/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Camel Vulnerable to Authentication Bypass Using an Alternate Path or Channel"
}

GHSA-289Q-CMJ5-R43X

Vulnerability from github – Published: 2026-02-25 21:31 – Updated: 2026-02-25 21:31
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T21:16:36Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.",
  "id": "GHSA-289q-cmj5-r43x",
  "modified": "2026-02-25T21:31:19Z",
  "published": "2026-02-25T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1747"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3533088"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/588385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-28C6-PJXJ-5QXG

Vulnerability from github – Published: 2024-08-13 12:30 – Updated: 2024-08-13 12:30
VLAI
Details

A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BMC. IBM X-Force ID: 290674.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T12:15:06Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the combination of the OpenBMC\u0027s FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BMC.  IBM X-Force ID:  290674.",
  "id": "GHSA-28c6-pjxj-5qxg",
  "modified": "2024-08-13T12:30:53Z",
  "published": "2024-08-13T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35124"
    },
    {
      "type": "WEB",
      "url": "https://https://exchange.xforce.ibmcloud.com/vulnerabilities/290674"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7163195"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-293W-8H49-X8X8

Vulnerability from github – Published: 2023-05-30 21:30 – Updated: 2024-04-04 04:23
VLAI
Details

Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Bypass 2FA via APIs. For Controlpanel Lite. "After login we are directly able to use the bearer token or jsession ID to access the apis instead of entering the 2FA code. Thus, leading to bypass of 2FA on API level.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Bypass 2FA via APIs. For Controlpanel Lite. \"After login we are directly able to use the bearer token or jsession ID to access the apis instead of entering the 2FA code. Thus, leading to bypass of 2FA on API level.",
  "id": "GHSA-293w-8h49-x8x8",
  "modified": "2024-04-04T04:23:41Z",
  "published": "2023-05-30T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36249"
    },
    {
      "type": "WEB",
      "url": "https://www.shopbeat.co.za"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.