CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-FXC9-7J2W-VX54
Vulnerability from github – Published: 2026-03-29 15:20 – Updated: 2026-03-29 15:20Impact
Multiple vulnerabilities were discovered which allowed for undesirable behaviors, including:
- Performing free tempo/charge requests
- Replaying existing tempo/charge requests
- Performing free tempo/session requests
- Piggybacking off existing tempo/session channels
- Griefing existing tempo/session channels
- Manipulate the fee payer of a tempo/charge or tempo/session handler into paying for requests
- Replaying existing stripe/charge requests
Patches
The issues are patched in 0.8.0
Workarounds
There are no workarounds available for these vulnerabilities
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "mpp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-294",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:20:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nMultiple vulnerabilities were discovered which allowed for undesirable behaviors, including:\n- Performing free `tempo/charge` requests\n- Replaying existing `tempo/charge` requests\n- Performing free `tempo/session` requests\n- Piggybacking off existing `tempo/session` channels\n- Griefing existing `tempo/session` channels\n- Manipulate the fee payer of a `tempo/charge` or `tempo/session` handler into paying for requests\n- Replaying existing `stripe/charge` requests\n\n### Patches\nThe issues are patched in 0.8.0\n\n### Workarounds\nThere are no workarounds available for these vulnerabilities",
"id": "GHSA-fxc9-7j2w-vx54",
"modified": "2026-03-29T15:20:45Z",
"published": "2026-03-29T15:20:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tempoxyz/mpp-rs/security/advisories/GHSA-fxc9-7j2w-vx54"
},
{
"type": "PACKAGE",
"url": "https://github.com/tempoxyz/mpp-rs"
},
{
"type": "WEB",
"url": "https://github.com/tempoxyz/mpp-rs/releases/tag/v0.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mpp has multiple payment bypass and griefing vulnerabilities"
}
GHSA-G3R6-2CV3-63VW
Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
{
"affected": [],
"aliases": [
"CVE-2024-26009"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T19:15:27Z",
"severity": "HIGH"
},
"details": "An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15\tand before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 \u0026 FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager\u0027s serial number.",
"id": "GHSA-g3r6-2cv3-63vw",
"modified": "2025-08-12T21:31:20Z",
"published": "2025-08-12T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26009"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G4WG-MPFG-X2Q6
Vulnerability from github – Published: 2025-08-18 18:30 – Updated: 2025-08-18 23:18Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0-ga1"
},
{
"last_affected": "7.4.3.132-ga132"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3639"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-18T23:18:10Z",
"nvd_published_at": "2025-08-18T17:15:29Z",
"severity": "LOW"
},
"details": "Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.",
"id": "GHSA-g4wg-mpfg-x2q6",
"modified": "2025-08-18T23:18:10Z",
"published": "2025-08-18T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3639"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/383a4001cfdf533eb077ed6f03bc5f8fed27cf05"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/774c89c853d4b9d9abb61d6e079dab21f582cc78"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/7a70daf60416d536a45fe137d54e1054e9394fa7"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/a0265c3847af01a37d2a9ad1560e4408f2856518"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/a5081fefaffdd86a9306320c46e91f98973c39cb"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/d2806ad26cb194d0c7d654f9c447857e05dd44b2"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/e4bb21b85440157b588ebbd217995113362962cc"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/e67b47a47f3bccc9a85aeee6a40cd0188787aa0f"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/eb0457503fdb8ac49c662b690a6a4eb139ee4c67"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-18212"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Login Bypass Vulnerability"
}
GHSA-G54J-MFPF-9C6R
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions.
{
"affected": [],
"aliases": [
"CVE-2026-54804"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:51Z",
"severity": "HIGH"
},
"details": "Subscriber Broken Authentication in Melhor Envio \u003c= 2.16.3 versions.",
"id": "GHSA-g54j-mfpf-9c6r",
"modified": "2026-06-17T18:35:52Z",
"published": "2026-06-17T18:35:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54804"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/melhor-envio-cotacao/vulnerability/wordpress-melhor-envio-plugin-2-16-3-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G56H-9V2H-9X2C
Vulnerability from github – Published: 2024-03-07 03:30 – Updated: 2024-08-06 15:30An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.
{
"affected": [],
"aliases": [
"CVE-2024-26566"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T01:15:52Z",
"severity": "HIGH"
},
"details": "An issue in Cute Http File Server v.3.1 allows a remote attacker to escalate privileges via the password verification component.",
"id": "GHSA-g56h-9v2h-9x2c",
"modified": "2024-08-06T15:30:46Z",
"published": "2024-03-07T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26566"
},
{
"type": "WEB",
"url": "https://github.com/GZLDL/CVE/blob/main/CVE-2024-26566/CVE-2024-26566%20English.md"
},
{
"type": "WEB",
"url": "https://github.com/GZLDL/CVE/tree/main/Cute%20Http%20File%20Server%20JWT"
},
{
"type": "WEB",
"url": "http://cute.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G6Q3-96CP-5R5M
Vulnerability from github – Published: 2026-01-20 16:35 – Updated: 2026-01-20 16:35Summary
A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., /%61dmin instead of /admin). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.
Details
The vulnerability is caused by how @fastify/express matches requests against registered middleware paths.
PoC
Step 1: Run the following Fastify application (save as app.js):
const fastify = require('fastify')({ logger: true });
async function start() {
// Register fastify-express for Express-style middleware support
await fastify.register(require('@fastify/express'));
// Middleware to block /admin route
fastify.use('/admin', (req, res, next) => {
res.statusCode = 403;
res.end('Forbidden: Access to /admin is blocked');
});
// Sample routes
fastify.get('/', async (request, reply) => {
return { message: 'Welcome to the homepage' };
});
fastify.get('/admin', async (request, reply) => {
return { message: 'Admin panel' };
});
fastify.get('/admin/dashboard', async (request, reply) => {
return { message: 'Admin dashboard' };
});
// Start server
try {
await fastify.listen({ port: 3000 });
} catch (err) {
fastify.log.error(err);
process.exit(1);
}
}
start();
Step 2: Execute the attack.
➜ ~ curl http://206.189.140.29:3000/%61dmin
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /%61dmin</pre>
</body>
</html>
(fastify express)
➜ ~ curl http://206.189.140.29:3000/%61dmin
{"message":"Admin panel"}
It differs from CVE-2026-22031 because this is a different npm module with its own code.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.2"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22037"
],
"database_specific": {
"cwe_ids": [
"CWE-177",
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T16:35:21Z",
"nvd_published_at": "2026-01-19T17:15:50Z",
"severity": "HIGH"
},
"details": "### Summary\nA security vulnerability exists in `@fastify/express` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused by how `@fastify/express` matches requests against registered middleware paths.\n\n### PoC\n**Step 1:** Run the following Fastify application (save as `app.js`):\n\n```javascript\nconst fastify = require(\u0027fastify\u0027)({ logger: true });\n\nasync function start() {\n // Register fastify-express for Express-style middleware support\n await fastify.register(require(\u0027@fastify/express\u0027));\n\n // Middleware to block /admin route\n fastify.use(\u0027/admin\u0027, (req, res, next) =\u003e {\n res.statusCode = 403;\n res.end(\u0027Forbidden: Access to /admin is blocked\u0027);\n });\n\n // Sample routes\n fastify.get(\u0027/\u0027, async (request, reply) =\u003e {\n return { message: \u0027Welcome to the homepage\u0027 };\n });\n\n fastify.get(\u0027/admin\u0027, async (request, reply) =\u003e {\n return { message: \u0027Admin panel\u0027 };\n });\n\n fastify.get(\u0027/admin/dashboard\u0027, async (request, reply) =\u003e {\n return { message: \u0027Admin dashboard\u0027 };\n });\n\n // Start server\n try {\n await fastify.listen({ port: 3000 });\n } catch (err) {\n fastify.log.error(err);\n process.exit(1);\n }\n}\n\nstart();\n```\n\n**Step 2:** Execute the attack.\n\n```\n\u279c ~ curl http://206.189.140.29:3000/%61dmin\n\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n\u003cmeta charset=\"utf-8\"\u003e\n\u003ctitle\u003eError\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003cpre\u003eCannot GET /%61dmin\u003c/pre\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n(fastify express)\n\n\u279c ~ curl http://206.189.140.29:3000/%61dmin\n{\"message\":\"Admin panel\"}\n```\n\nIt differs from [CVE-2026-22031](https://nvd.nist.gov/vuln/detail/CVE-2026-22031) because this is a different npm module with its own code.",
"id": "GHSA-g6q3-96cp-5r5m",
"modified": "2026-01-20T16:35:21Z",
"published": "2026-01-20T16:35:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22037"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-express"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-express/releases/tag/v4.0.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)"
}
GHSA-G6RR-5FCQ-XJCM
Vulnerability from github – Published: 2025-06-10 00:30 – Updated: 2025-06-10 00:30CyberData 011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
{
"affected": [],
"aliases": [
"CVE-2025-30184"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T22:15:21Z",
"severity": "CRITICAL"
},
"details": "CyberData\u00a0011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.",
"id": "GHSA-g6rr-5fcq-xjcm",
"modified": "2025-06-10T00:30:30Z",
"published": "2025-06-10T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30184"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G74P-X9CP-Q6J2
Vulnerability from github – Published: 2025-06-18 06:31 – Updated: 2025-06-18 06:31An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected.
{
"affected": [],
"aliases": [
"CVE-2025-51381"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T05:15:50Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected.",
"id": "GHSA-g74p-x9cp-q6j2",
"modified": "2025-06-18T06:31:37Z",
"published": "2025-06-18T06:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51381"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN46288336"
},
{
"type": "WEB",
"url": "https://notices.jcom.co.jp/notice/93847.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G79R-WQXW-XP7Q
Vulnerability from github – Published: 2025-10-01 06:30 – Updated: 2025-10-01 06:30An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.
{
"affected": [],
"aliases": [
"CVE-2025-10538"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T04:15:48Z",
"severity": "HIGH"
},
"details": "An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.",
"id": "GHSA-g79r-wqxw-xp7q",
"modified": "2025-10-01T06:30:22Z",
"published": "2025-10-01T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10538"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G9RQ-PPXC-PMJ6
Vulnerability from github – Published: 2024-05-06 00:30 – Updated: 2024-07-03 18:38In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content.
{
"affected": [],
"aliases": [
"CVE-2024-34524"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-06T00:15:10Z",
"severity": "CRITICAL"
},
"details": "In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content.",
"id": "GHSA-g9rq-ppxc-pmj6",
"modified": "2024-07-03T18:38:58Z",
"published": "2024-05-06T00:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34524"
},
{
"type": "WEB",
"url": "https://github.com/xlang-ai/OpenAgents/issues/112"
},
{
"type": "WEB",
"url": "https://github.com/xlang-ai/OpenAgents/blob/880e26adfe380e999962fc645fc8fc80bd72f103/backend/utils/utils.py#L31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.