Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-JRW2-PV6M-V2W5

Vulnerability from github – Published: 2025-03-14 12:32 – Updated: 2025-06-17 18:31
VLAI
Details

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T12:15:13Z",
    "severity": "MODERATE"
  },
  "details": "The Civi - Job Board \u0026 Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation.",
  "id": "GHSA-jrw2-pv6m-v2w5",
  "modified": "2025-06-17T18:31:36Z",
  "published": "2025-03-14T12:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13772"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/civi-job-board-wordpress-theme/42770817#item-description__changelogs"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf04f458-7900-4dd3-84fb-169b74db97ab?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567"
    },
    {
      "type": "WEB",
      "url": "http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JW23-2XQX-F9F7

Vulnerability from github – Published: 2025-05-06 21:30 – Updated: 2025-05-06 21:30
VLAI
Details

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-06T20:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user\u0027s user name.",
  "id": "GHSA-jw23-2xqx-f9f7",
  "modified": "2025-05-06T21:30:48Z",
  "published": "2025-05-06T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12225"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-12225"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330484"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWC3-MM8J-J745

Vulnerability from github – Published: 2024-10-08 09:30 – Updated: 2024-10-08 09:30
VLAI
Details

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T09:15:19Z",
    "severity": "CRITICAL"
  },
  "details": "The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including,  5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the \"Use WordPress users as customers\" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.",
  "id": "GHSA-jwc3-mm8j-j745",
  "modified": "2024-10-08T09:30:54Z",
  "published": "2024-10-08T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8943"
    },
    {
      "type": "WEB",
      "url": "https://wpdocs.latepoint.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bac8c35b-2afa-4347-b86e-2f16db19a4d3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXHW-2H3Q-Q447

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:45Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated Broken Authentication in WooCommerce Dropshipping \u003c= 5.2.4 versions.",
  "id": "GHSA-jxhw-2h3q-q447",
  "modified": "2026-06-17T18:35:51Z",
  "published": "2026-06-17T18:35:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49071"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-dropshipping/vulnerability/wordpress-woocommerce-dropshipping-plugin-5-2-4-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXR4-23QG-XCH9

Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-13 18:31
VLAI
Details

An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T16:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.",
  "id": "GHSA-jxr4-23qg-xch9",
  "modified": "2025-11-13T18:31:02Z",
  "published": "2025-11-12T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64281"
    },
    {
      "type": "WEB",
      "url": "https://centralsquare.com"
    },
    {
      "type": "WEB",
      "url": "https://machevalia.blog/blog/multiple-vulnerabilities-in-centralsquare-etrakit-and-ivr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2W4-8GGF-RJ47

Vulnerability from github – Published: 2026-04-17 06:31 – Updated: 2026-04-18 00:51
VLAI
Summary
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
Details

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "last_affected": "1.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-3605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:51:47Z",
    "nvd_published_at": "2026-04-17T04:16:03Z",
    "severity": "HIGH"
  },
  "details": "An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16.",
  "id": "GHSA-m2w4-8ggf-rj47",
  "modified": "2026-04-18T00:51:48Z",
  "published": "2026-04-17T06:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3605"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2026-05-vault-kvv2-metadata-and-secret-deletion-policy-bypass-denial-of-service/77342"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service"
}

GHSA-M359-P2W2-2PXH

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-11-03 21:34
VLAI
Details

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-24T15:15:23Z",
    "severity": "HIGH"
  },
  "details": "Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access.",
  "id": "GHSA-m359-p2w2-2pxh",
  "modified": "2025-11-03T21:34:05Z",
  "published": "2025-06-26T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32976"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2025/Jun/23"
    },
    {
      "type": "WEB",
      "url": "https://seralys.com/research/CVE-2025-32976.txt"
    },
    {
      "type": "WEB",
      "url": "https://support.quest.com/kb/4379499/quest-response-to-kace-sma-vulnerabilities-cve-2025-32975-cve-2025-32976-cve-2025-32977-cve-2025-32978"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jun/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M362-99M5-P5FQ

Vulnerability from github – Published: 2024-08-15 03:30 – Updated: 2025-05-21 21:31
VLAI
Details

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set up firebase for their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T03:15:05Z",
    "severity": "HIGH"
  },
  "details": "The MStore API \u2013 Create Native Android \u0026 iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the \u0027verify_id_token\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set up firebase for their account.",
  "id": "GHSA-m362-99m5-p5fq",
  "modified": "2025-05-21T21:31:12Z",
  "published": "2024-08-15T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7628"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/helpers/firebase-phone-auth-helper.php?rev=3110793#L31"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/helpers/firebase-phone-auth-helper.php?rev=3110793#L35"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/helpers/firebase-phone-auth-helper.php?rev=3110793#L5"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3134553%40mstore-api\u0026new=3134553%40mstore-api\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d174f856-d94a-42ed-b547-67699e175cd8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M432-67PH-XV3M

Vulnerability from github – Published: 2026-05-26 21:32 – Updated: 2026-05-27 21:31
VLAI
Details

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T21:16:35Z",
    "severity": "LOW"
  },
  "details": "SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android\u0027s secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.",
  "id": "GHSA-m432-67ph-xv3m",
  "modified": "2026-05-27T21:31:19Z",
  "published": "2026-05-26T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.alpha.applock"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.alpha.applock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M47Q-9445-W43J

Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster allows Authentication Abuse. This issue affects Jobmonster: from n/a through 4.7.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-28T13:16:09Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster allows Authentication Abuse. This issue affects Jobmonster: from n/a through 4.7.9.",
  "id": "GHSA-m47q-9445-w43j",
  "modified": "2026-04-01T18:36:01Z",
  "published": "2025-08-28T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54738"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-7-9-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.