CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-3W64-72GJ-893R
Vulnerability from github – Published: 2023-09-14 21:30 – Updated: 2026-05-21 09:32Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.
{
"affected": [],
"aliases": [
"CVE-2023-4702"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-14T20:15:12Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass.This issue affects Digital Yepas: before 1.0.1.",
"id": "GHSA-3w64-72gj-893r",
"modified": "2026-05-21T09:32:05Z",
"published": "2023-09-14T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4702"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0526"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0526"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3X5X-62PF-8JPR
Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-12 21:31Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2025-12445"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T20:15:39Z",
"severity": "MODERATE"
},
"details": "Policy bypass in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low)",
"id": "GHSA-3x5x-62pf-8jpr",
"modified": "2025-11-12T21:31:06Z",
"published": "2025-11-10T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12445"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/428397712"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3XGG-6RWW-2J3W
Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.
{
"affected": [],
"aliases": [
"CVE-2024-11925"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-28T07:15:05Z",
"severity": "CRITICAL"
},
"details": "The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.",
"id": "GHSA-3xgg-6rww-2j3w",
"modified": "2024-11-28T18:38:35Z",
"published": "2024-11-28T18:38:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11925"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04bc8101-2676-4695-a498-f79be8221617?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3XW3-M65R-4F37
Vulnerability from github – Published: 2024-10-29 18:30 – Updated: 2026-04-08 18:33The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
{
"affected": [],
"aliases": [
"CVE-2024-9988"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T17:15:05Z",
"severity": "CRITICAL"
},
"details": "The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the \u0027crypto_connect_ajax_process::register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.",
"id": "GHSA-3xw3-m65r-4f37",
"modified": "2026-04-08T18:33:39Z",
"published": "2024-10-29T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9988"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L91"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3195424/crypto#file3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bfe87cf-9883-4f8f-a0f5-23bbc7bb9b7c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-42RJ-C8WW-P58F
Vulnerability from github – Published: 2023-12-19 18:30 – Updated: 2023-12-19 18:30A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.
{
"affected": [],
"aliases": [
"CVE-2023-50272"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-19T16:15:12Z",
"severity": "HIGH"
},
"details": "A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.",
"id": "GHSA-42rj-c8ww-p58f",
"modified": "2023-12-19T18:30:32Z",
"published": "2023-12-19T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50272"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US\u0026docId=hpesbhf04584en_us"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-438F-R8M8-H4GG
Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 12:30The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.
{
"affected": [],
"aliases": [
"CVE-2025-7692"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T10:15:26Z",
"severity": "HIGH"
},
"details": "The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.",
"id": "GHSA-438f-r8m8-h4gg",
"modified": "2025-07-22T12:30:44Z",
"published": "2025-07-22T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7692"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/orion-login-with-sms"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-439Q-G9X9-RR2V
Vulnerability from github – Published: 2025-09-19 06:31 – Updated: 2025-09-19 06:31The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.
{
"affected": [],
"aliases": [
"CVE-2025-5955"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T05:15:33Z",
"severity": "HIGH"
},
"details": "The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user\u0027s phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.",
"id": "GHSA-439q-g9x9-rr2v",
"modified": "2025-09-19T06:31:22Z",
"published": "2025-09-19T06:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5955"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc4598a7-d5cf-4553-b29a-659fe288ece9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-472G-2PWF-QM99
Vulnerability from github – Published: 2026-01-04 00:30 – Updated: 2026-01-04 00:30Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings.
{
"affected": [],
"aliases": [
"CVE-2025-3652"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-04T00:15:43Z",
"severity": "MODERATE"
},
"details": "Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users\u0027 private recordings.",
"id": "GHSA-472g-2pwf-qm99",
"modified": "2026-01-04T00:30:16Z",
"published": "2026-01-04T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3652"
},
{
"type": "WEB",
"url": "https://bobdahacker.com/blog/petlibro"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-audio-information-disclosure-via-api-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-47CR-F226-R4PQ
Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-25 20:53Summary
The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.
Details
The two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially: 1. Retrieve basic credentials. 2. Verify username. 3. Verify password. 4. Success
pkg/routes/caldav/auth.go:45
u, err := checkUserCaldavTokens(s, credentials)
if user.IsErrUserDoesNotExist(err) {
return false, nil
}
if u == nil {
u, err = user.CheckUserCredentials(s, credentials)
if err != nil {
log.Errorf("Error during basic auth for caldav: %v", err)
return false, nil
}
}
pkg/user/user.go:358
func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
// Check if we have any credentials
if u.Password == "" || u.Username == "" {
return nil, ErrNoUsernamePassword{}
}
// Check if the user exists
user, err := getUserByUsernameOrEmail(s, u.Username)
if err != nil {
// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
return nil, ErrWrongUsernameOrPassword{}
}
if user.Issuer != IssuerLocal {
return user, &ErrAccountIsNotLocal{UserID: user.ID}
}
// The user is invalid if they need to verify their email address
if user.Status == StatusEmailConfirmationRequired {
return &User{}, ErrEmailNotConfirmed{UserID: user.ID}
}
// Check the users password
err = CheckUserPassword(user, u.Password)
if err != nil {
if IsErrWrongUsernameOrPassword(err) {
handleFailedPassword(user)
}
return user, err
}
return user, nil
}
PoC
-
Setup a Docker instance of Vikunja
v2.1.0and create an account. Enable 2FA on the account. -
Logout of the account.
- Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user's username and password is properly Base64-encoded and inserted into the
Authorizationheader.
PROPFIND /dav/principals/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic {{ REDACTED }}
[ TRUNCATED ]
<?xml version="1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:displayname/><d:resourcetype/></d:prop></d:propfind>
- Observe that the response contains authenticated user information.
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 16 Mar 2026 19:31:47 GMT
Content-Length: 398
<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/"><D:response><D:href>/dav/projects</D:href><D:propstat><D:prop><D:displayname>projects</D:displayname>
[ TRUNCATED ]
- Other requests can then be crafted to retrieve more information about a specific project, such as the one below.
PROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic [ REDACTED ]
[TRUNCATED]
<?xml version="1.0"?><c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"><d:prop><d:getetag/><c:calendar-data/></d:prop><c:filter><c:comp-filter name="VCALENDAR"><c:comp-filter name="VTODO"/></c:comp-filter></c:filter></c:calendar-query>
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
[ TRUNCATED ]
[ TRUNCATED ]
<D:prop><C:calendar-data>BEGIN:VCALENDAR
VERSION:2.0
X-PUBLISHED-TTL:PT4H
X-WR-CALNAME:Inbox
PRODID:-//Vikunja Todo App//EN
BEGIN:VTODO
UID:8gb6eclz-dad5-4a38-80a8-09005707eb51
DTSTAMP:20260316T190905Z
SUMMARY:test
DESCRIPTION:<p>description</p>
CREATED:20260301T203712Z
LAST-MODIFIED:20260316T190905Z
BEGIN:VALARM
TRIGGER;VALUE=DATE-TIME:20260316T130000Z
ACTION:DISPLAY
DESCRIPTION:test
END:VALARM
END:VTODO
END:VCALENDAR</C:calendar-data></D:prop><D:status>HTTP/1.1 200 OK
[ TRUNCATED ]
Impact
Any user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user's project information.
Remediation
If there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they're using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That's so users can turn it on if it's necessary, but can be notified in the documentation that it's a more unsafe pattern if 2FA is enabled.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33315"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T17:25:35Z",
"nvd_published_at": "2026-03-24T15:16:35Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.\n\n### Details\nThe two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially:\n1. Retrieve basic credentials.\n2. Verify username.\n3. Verify password.\n4. Success\n\n**pkg/routes/caldav/auth.go:45**\n```go\nu, err := checkUserCaldavTokens(s, credentials)\n\tif user.IsErrUserDoesNotExist(err) {\n\t\treturn false, nil\n\t}\n\tif u == nil {\n\t\tu, err = user.CheckUserCredentials(s, credentials)\n\t\tif err != nil {\n\t\t\tlog.Errorf(\"Error during basic auth for caldav: %v\", err)\n\t\t\treturn false, nil\n\t\t}\n\t}\n```\n\n**pkg/user/user.go:358**\n```go\nfunc CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {\n\t// Check if we have any credentials\n\tif u.Password == \"\" || u.Username == \"\" {\n\t\treturn nil, ErrNoUsernamePassword{}\n\t}\n\n\t// Check if the user exists\n\tuser, err := getUserByUsernameOrEmail(s, u.Username)\n\tif err != nil {\n\t\t// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong\n\t\t_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)\n\t\treturn nil, ErrWrongUsernameOrPassword{}\n\t}\n\n\tif user.Issuer != IssuerLocal {\n\t\treturn user, \u0026ErrAccountIsNotLocal{UserID: user.ID}\n\t}\n\n\t// The user is invalid if they need to verify their email address\n\tif user.Status == StatusEmailConfirmationRequired {\n\t\treturn \u0026User{}, ErrEmailNotConfirmed{UserID: user.ID}\n\t}\n\n\t// Check the users password\n\terr = CheckUserPassword(user, u.Password)\n\tif err != nil {\n\t\tif IsErrWrongUsernameOrPassword(err) {\n\t\t\thandleFailedPassword(user)\n\t\t}\n\t\treturn user, err\n\t}\n\n\treturn user, nil\n}\n```\n\n### PoC\n1. Setup a Docker instance of Vikunja `v2.1.0` and create an account. Enable 2FA on the account.\n\u003cimg width=\"1506\" height=\"646\" alt=\"CleanShot 2026-03-16 at 15 30 24@2x\" src=\"https://github.com/user-attachments/assets/e88522af-4333-4758-8ba4-3e34de9680f7\" /\u003e\n\n2. Logout of the account.\n3. Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user\u0027s username and password is properly Base64-encoded and inserted into the `Authorization` header.\n\n```http\nPROPFIND /dav/principals/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic {{ REDACTED }}\n[ TRUNCATED ]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cd:propfind xmlns:d=\"DAV:\"\u003e\u003cd:prop\u003e\u003cd:displayname/\u003e\u003cd:resourcetype/\u003e\u003c/d:prop\u003e\u003c/d:propfind\u003e\n```\n5. Observe that the response contains authenticated user information.\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\nVary: Accept-Encoding\nDate: Mon, 16 Mar 2026 19:31:47 GMT\nContent-Length: 398\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cD:multistatus xmlns:D=\"DAV:\" xmlns:C=\"urn:ietf:params:xml:ns:caldav\" xmlns:CS=\"http://calendarserver.org/ns/\"\u003e\u003cD:response\u003e\u003cD:href\u003e/dav/projects\u003c/D:href\u003e\u003cD:propstat\u003e\u003cD:prop\u003e\u003cD:displayname\u003eprojects\u003c/D:displayname\u003e\n[ TRUNCATED ]\n```\n6. Other requests can then be crafted to retrieve more information about a specific project, such as the one below.\n```http\nPROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic [ REDACTED ]\n[TRUNCATED]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cc:calendar-query xmlns:d=\"DAV:\" xmlns:c=\"urn:ietf:params:xml:ns:caldav\"\u003e\u003cd:prop\u003e\u003cd:getetag/\u003e\u003cc:calendar-data/\u003e\u003c/d:prop\u003e\u003cc:filter\u003e\u003cc:comp-filter name=\"VCALENDAR\"\u003e\u003cc:comp-filter name=\"VTODO\"/\u003e\u003c/c:comp-filter\u003e\u003c/c:filter\u003e\u003c/c:calendar-query\u003e\n```\n\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\n[ TRUNCATED ]\n\n[ TRUNCATED ]\n\u003cD:prop\u003e\u003cC:calendar-data\u003eBEGIN:VCALENDAR\u0026#xA;VERSION:2.0\u0026#xA;X-PUBLISHED-TTL:PT4H\u0026#xA;X-WR-CALNAME:Inbox\u0026#xA;PRODID:-//Vikunja Todo App//EN\u0026#xA;BEGIN:VTODO\u0026#xA;UID:8gb6eclz-dad5-4a38-80a8-09005707eb51\u0026#xA;DTSTAMP:20260316T190905Z\u0026#xA;SUMMARY:test\u0026#xA;DESCRIPTION:\u0026lt;p\u0026gt;description\u0026lt;/p\u0026gt;\u0026#xA;CREATED:20260301T203712Z\u0026#xA;LAST-MODIFIED:20260316T190905Z\u0026#xA;BEGIN:VALARM\u0026#xA;TRIGGER;VALUE=DATE-TIME:20260316T130000Z\u0026#xA;ACTION:DISPLAY\u0026#xA;DESCRIPTION:test\u0026#xA;END:VALARM\u0026#xA;END:VTODO\u0026#xA;END:VCALENDAR\u003c/C:calendar-data\u003e\u003c/D:prop\u003e\u003cD:status\u003eHTTP/1.1 200 OK\n[ TRUNCATED ]\n```\n\n### Impact\nAny user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user\u0027s project information. \n\n### Remediation\nIf there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they\u0027re using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That\u0027s so users can turn it on if it\u0027s necessary, but can be notified in the documentation that it\u0027s a more unsafe pattern if 2FA is enabled.",
"id": "GHSA-47cr-f226-r4pq",
"modified": "2026-03-25T20:53:21Z",
"published": "2026-03-20T17:25:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33315"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vikunja has a 2FA Bypass via Caldav Basic Auth"
}
GHSA-47H2-H6Q2-GHRW
Vulnerability from github – Published: 2023-10-23 00:30 – Updated: 2024-04-04 08:52WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.
{
"affected": [],
"aliases": [
"CVE-2023-46319"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T00:15:08Z",
"severity": "HIGH"
},
"details": "WALLIX Bastion 9.x before 9.0.9 and 10.x before 10.0.5 allows unauthenticated access to sensitive information by bypassing access control on a network access administration web interface.",
"id": "GHSA-47h2-h6q2-ghrw",
"modified": "2024-04-04T08:52:50Z",
"published": "2023-10-23T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46319"
},
{
"type": "WEB",
"url": "https://www.wallix.com/support/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.