Common Weakness Enumeration

CWE-305

Allowed

Authentication Bypass by Primary Weakness

Abstraction: Base · Status: Draft

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

281 vulnerabilities reference this CWE, most recent first.

GHSA-8WJ3-CPMR-8WHP

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-18 19:19
VLAI
Summary
Cockpit Content Platform vulnerable to 2FA bypass
Details

Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the develop branch and is expected to be part of version 2.2.2.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "cockpit-hq/cockpit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-18T19:19:58Z",
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "severity": "HIGH"
  },
  "details": "Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.",
  "id": "GHSA-8wj3-cpmr-8whp",
  "modified": "2022-08-18T19:19:58Z",
  "published": "2022-08-16T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cockpit-hq/cockpit"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cockpit Content Platform vulnerable to 2FA bypass"
}

GHSA-8WRG-M8VM-5FVJ

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2021-05-20 22:25
VLAI
Summary
Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server
Details

Impact

Authentication Bypass by Primary Weakness (CWE-305)

Commit:

https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1

ALL Users is impacted.

Patches

Yes, PLEASE UPGRADE TO v1.3.21-beta.d0ffc0a6

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kongchuanhujiao/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T22:25:09Z",
    "nvd_published_at": "2021-03-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAuthentication Bypass by Primary Weakness (CWE-305)\n\nCommit:\n\nhttps://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1\n\nALL Users  is impacted.\n\n### Patches\n\nYes, PLEASE UPGRADE TO v1.3.21-beta.d0ffc0a6",
  "id": "GHSA-8wrg-m8vm-5fvj",
  "modified": "2021-05-20T22:25:09Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server"
}

GHSA-93X3-M7PW-PPQM

Vulnerability from github – Published: 2024-05-13 14:57 – Updated: 2024-05-14 20:01
VLAI
Summary
Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process
Details

Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.

The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.

A brute-force attack calling account_update.php with increasing user IDs is possible.

Impact

A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.

Patches

92d11a01b195a1b6717a2f205218089158ea6d00

Workarounds

Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).

References

https://mantisbt.org/bugs/view.php?id=34433

Credits

Alexander Christian, from Vantage Point Security Indonesia

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-13T14:57:13Z",
    "nvd_published_at": "2024-05-14T15:38:28Z",
    "severity": "HIGH"
  },
  "details": "Insufficient access control in the registration and password reset process allows an attacker to reset another user\u0027s password and takeover their account, if the victim has an incomplete request pending.\n\nThe exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.\n\nA brute-force attack calling account_update.php with increasing user IDs is possible. \n \n### Impact\n\nA successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.\n\n### Patches\n\n92d11a01b195a1b6717a2f205218089158ea6d00\n\n### Workarounds\n\nMitigate the risk by reducing the verification token\u0027s validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in *constants_inc.php*).\n\n### References\n\nhttps://mantisbt.org/bugs/view.php?id=34433\n\n### Credits\n\nAlexander Christian, from Vantage Point Security Indonesia\n",
  "id": "GHSA-93x3-m7pw-ppqm",
  "modified": "2024-05-14T20:01:07Z",
  "published": "2024-05-13T14:57:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=34433"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process"
}

GHSA-9559-HPF7-PQV3

Vulnerability from github – Published: 2025-05-19 09:31 – Updated: 2025-11-03 18:31
VLAI
Details

Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T08:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.",
  "id": "GHSA-9559-hpf7-pqv3",
  "modified": "2025-11-03T18:31:16Z",
  "published": "2025-05-19T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46801"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN06238225"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://www.pgpool.net/mediawiki/index.php/Main_Page#News"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-95PW-Q9XH-P66R

Vulnerability from github – Published: 2026-06-22 12:32 – Updated: 2026-07-07 12:31
VLAI
Details

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T10:16:17Z",
    "severity": "HIGH"
  },
  "details": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.",
  "id": "GHSA-95pw-q9xh-p66r",
  "modified": "2026-07-07T12:31:35Z",
  "published": "2026-06-22T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4994"
    },
    {
      "type": "WEB",
      "url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Jul/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9FQF-7QJX-9M2H

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-11-04 21:30
VLAI
Details

The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-21T21:15:00Z",
    "severity": "LOW"
  },
  "details": "The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.",
  "id": "GHSA-9fqf-7qjx-9m2h",
  "modified": "2025-11-04T21:30:24Z",
  "published": "2022-05-24T17:26:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10123"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/116713"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/116713"
    },
    {
      "type": "WEB",
      "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9J22-G5G3-CW39

Vulnerability from github – Published: 2025-05-12 18:31 – Updated: 2025-05-12 18:31
VLAI
Details

SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T17:15:48Z",
    "severity": "MODERATE"
  },
  "details": "SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected  BIOS settings by importing a BIOS settings file with no password set.",
  "id": "GHSA-9j22-g5g3-cw39",
  "modified": "2025-05-12T18:31:48Z",
  "published": "2025-05-12T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46750"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/products/software/latest-software-versions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MHQ-XCRQ-XC75

Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-04-04 03:58
VLAI
Details

An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-09T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.",
  "id": "GHSA-9mhq-xcrq-xc75",
  "modified": "2024-04-04T03:58:08Z",
  "published": "2023-05-10T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28126"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/ZDI-CAN-17750-Ivanti-Avalanche-EnterpriseServer-GetSettings-Exposed-Dangerous-Method-Authentication-Bypass-Vulnerability?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9WC2-MV76-38JP

Vulnerability from github – Published: 2022-11-14 19:00 – Updated: 2022-11-18 00:30
VLAI
Details

Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305",
      "CWE-307",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-14T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.",
  "id": "GHSA-9wc2-mv76-38jp",
  "modified": "2022-11-18T00:30:20Z",
  "published": "2022-11-14T19:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kareadita/kavita/commit/f8db37d3f9aa42d47e7c4f4ca839e892d3f97afb"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/bebd0cd6-18ec-469c-b6ca-19ffa9db0699"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C57H-RX24-VF52

Vulnerability from github – Published: 2025-04-03 21:32 – Updated: 2025-10-22 00:33
VLAI
Details

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T20:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka \"Unauthenticated HTTP(S) port access.\" A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.",
  "id": "GHSA-c57h-rx24-vf52",
  "modified": "2025-10-22T00:33:16Z",
  "published": "2025-04-03T21:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31161"
    },
    {
      "type": "WEB",
      "url": "https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis"
    },
    {
      "type": "WEB",
      "url": "https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo"
    },
    {
      "type": "WEB",
      "url": "https://outpost24.com/blog/crushftp-auth-bypass-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://projectdiscovery.io/blog/crushftp-authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161"
    },
    {
      "type": "WEB",
      "url": "https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation"
    },
    {
      "type": "WEB",
      "url": "https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation"
    },
    {
      "type": "WEB",
      "url": "https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.