CWE-345
DiscouragedInsufficient Verification of Data Authenticity
Abstraction: Class · Status: Draft
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
941 vulnerabilities reference this CWE, most recent first.
GHSA-8R9F-H969-MM4M
Vulnerability from github – Published: 2026-04-10 21:31 – Updated: 2026-04-10 21:31When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.
{
"affected": [],
"aliases": [
"CVE-2026-3446"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T19:16:26Z",
"severity": "MODERATE"
},
"details": "When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.",
"id": "GHSA-8r9f-h969-mm4m",
"modified": "2026-04-10T21:31:15Z",
"published": "2026-04-10T21:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3446"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/145264"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/145267"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8RGM-MPW2-PCJV
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-06-29 00:00Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21231"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-8rgm-mpw2-pcjv",
"modified": "2022-06-29T00:00:43Z",
"published": "2022-05-24T17:49:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21231"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1198696"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8V6R-WPH3-967X
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19A component of the HarmonyOS has a Insufficient Verification of Data Authenticity vulnerability. Local attackers may exploit this vulnerability to bypass the control mechanism.
{
"affected": [],
"aliases": [
"CVE-2021-22460"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-28T13:15:00Z",
"severity": "MODERATE"
},
"details": "A component of the HarmonyOS has a Insufficient Verification of Data Authenticity vulnerability. Local attackers may exploit this vulnerability to bypass the control mechanism.",
"id": "GHSA-8v6r-wph3-967x",
"modified": "2022-05-24T19:19:09Z",
"published": "2022-05-24T19:19:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22460"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202107-0000001123874808"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8W6G-5XQ3-HVC5
Vulnerability from github – Published: 2023-08-08 18:30 – Updated: 2024-04-04 06:41Insufficient verification of data authenticity in Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via network access.
{
"affected": [],
"aliases": [
"CVE-2023-36541"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T18:15:14Z",
"severity": "HIGH"
},
"details": "Insufficient verification of data authenticity in Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via network access.",
"id": "GHSA-8w6g-5xq3-hvc5",
"modified": "2024-04-04T06:41:58Z",
"published": "2023-08-08T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36541"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8X4M-QW58-3PCX
Vulnerability from github – Published: 2026-03-29 15:15 – Updated: 2026-03-29 15:15Impact
Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including:
- Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests
- Performing free tempo/charge requests due to missing transfer log verification in pull-mode
- Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding)
- Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing)
- Bypassing tempo/session voucher signature verification
- Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding
- Performing free tempo/session requests by exploiting channel reopen without on-chain settled state
- Accepting deductions on finalized tempo/session channels
- Bypassing payment on free routes via method-mismatch fallback
- Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)
Patches
Fixed in 0.4.8.
Workarounds
There are no workarounds available for these vulnerabilities.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mppx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-294",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:15:36Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nMultiple vulnerabilities were discovered in `tempo/charge` and `tempo/session` which allowed for undesirable behaviors, including:\n- Replaying `tempo/charge` transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests\n- Performing free `tempo/charge` requests due to missing transfer log verification in pull-mode\n- Replaying `tempo/charge` credentials across routes via cross-route scope confusion (`memo`/`splits` not included in scope binding)\n- Manipulating the fee payer of a `tempo/charge` handler into paying for requests (missing sender signature before co-signing)\n- Bypassing `tempo/session` voucher signature verification\n- Piggybacking off existing `tempo/session` channels via settle voucher reuse and weak channel ID binding\n- Performing free `tempo/session` requests by exploiting channel reopen without on-chain settled state\n- Accepting deductions on finalized `tempo/session` channels\n- Bypassing payment on free routes via method-mismatch fallback\n- Griefing `tempo/session` channels via force-close detection bypass (`closeRequestedAt` not persisted)\n\n### Patches\n\nFixed in 0.4.8.\n\n### Workarounds\n\nThere are no workarounds available for these vulnerabilities.",
"id": "GHSA-8x4m-qw58-3pcx",
"modified": "2026-03-29T15:15:36Z",
"published": "2026-03-29T15:15:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8x4m-qw58-3pcx"
},
{
"type": "PACKAGE",
"url": "https://github.com/wevm/mppx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mppx has multiple payment bypass and griefing vulnerabilities"
}
GHSA-8XR5-VRFJ-P7X2
Vulnerability from github – Published: 2022-11-02 19:00 – Updated: 2022-11-04 19:01An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.
{
"affected": [],
"aliases": [
"CVE-2022-26122"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-02T12:15:00Z",
"severity": "HIGH"
},
"details": "An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64.",
"id": "GHSA-8xr5-vrfj-p7x2",
"modified": "2022-11-04T19:01:17Z",
"published": "2022-11-02T19:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26122"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9392-PJ54-QQF8
Vulnerability from github – Published: 2026-06-04 18:47 – Updated: 2026-06-04 18:47Summary
plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter.
The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating
any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record.
This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
### Details
Affected file:
plugin/AuthorizeNet/processPayment.json.php
Relevant code:
```php $amount = isset($_POST['amount']) ? floatval($_POST['amount']) : 0; $userData = isset($_POST['userData']) ? $_POST['userData'] : [];
if ($amount <= 0) { echo json_encode(['error' => 'Invalid amount']); exit; }
// TODO: Implement payment logic using Authorize.Net API // Example: Call Authorize.Net API here // $result = $plugin->chargePayment($amount, $userData);
// Simulate payment success for now $paymentSuccess = true; $users_id = @User::getId();
if ($paymentSuccess && !empty($users_id)) { $walletPlugin = AVideoPlugin::loadPluginIfEnabled("YPTWallet"); if ($walletPlugin) { $walletPlugin->addBalance($users_id, $amount, 'Authorize.Net one-time payment'); echo json_encode(['success' => true, 'result' => 'Payment processed and wallet updated']); exit; } }
Vulnerable flow:
1. `$_POST['amount']` is read from the client.
2. The endpoint only checks that the amount is greater than zero.
3. The real Authorize.Net charge is not performed.
4. `$paymentSuccess` is hardcoded to true.
5. The logged-in user's wallet is credited with the client-supplied amount.
There is no verification of:
- Authorize.Net transaction ID
- payment token
- webhook signature
- pending payment record
- expected server-side amount
- currency
- duplicate transaction/replay state
### PoC
Prerequisites:
- AVideo with AuthorizeNet plugin enabled
- YPTWallet plugin enabled
- Attacker has any valid user account
Steps:
1. Log in as a low-privileged user.
2. Open the wallet page and record the current balance.
3. Send the following request with the user's authenticated session cookie:
curl -i -s -b 'PHPSESSID=' \ -X POST 'https://target.example/plugin/AuthorizeNet/processPayment.json.php' \ --data 'amount=9999&userData[note]=poc'
4. The endpoint returns:
{"success":true,"result":"Payment processed and wallet updated"} ``` 5. Refresh the wallet page. 6. The wallet balance is increased by 9999.
No Authorize.Net hosted payment page, card payment, transaction confirmation, webhook, or server-side payment validation is required.
Impact
A normal authenticated user can mint arbitrary wallet balance.
Depending on the target site's configuration, this may allow the attacker to:
- purchase paid videos or subscriptions without payment
- abuse any feature backed by YPTWallet
- transfer fake funds to other users
- manipulate accounting or payout-related workflows
- bypass monetization controls
Recommended fix
- Remove or disable
processPayment.json.phpif it is obsolete. - Never credit wallet balance from client-supplied
amountalone. - Use the existing Authorize.Net hosted token / webhook / transaction reconciliation flow.
- Require a verified Authorize.Net transaction ID and server-side amount lookup before calling
addBalance(). - Add regression tests proving arbitrary POSTs cannot credit a wallet.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "WWBN/AVideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47696"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T18:47:35Z",
"nvd_published_at": "2026-05-29T14:16:32Z",
"severity": "HIGH"
},
"details": "### Summary\n\n `plugin/AuthorizeNet/processPayment.json.php` credits the logged-in user\u0027s wallet based only on the attacker-controlled `amount` POST parameter.\n\n The endpoint contains a TODO for real Authorize.Net charging, hardcodes `$paymentSuccess = true`, and then calls `YPTWallet::addBalance()` without validating\n any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record.\n\n This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the `AuthorizeNet` and `YPTWallet` plugins are enabled.\n\n ### Details\n\n Affected file:\n\n `plugin/AuthorizeNet/processPayment.json.php`\n\n Relevant code:\n\n ```php\n $amount = isset($_POST[\u0027amount\u0027]) ? floatval($_POST[\u0027amount\u0027]) : 0;\n $userData = isset($_POST[\u0027userData\u0027]) ? $_POST[\u0027userData\u0027] : [];\n\n if ($amount \u003c= 0) {\n echo json_encode([\u0027error\u0027 =\u003e \u0027Invalid amount\u0027]);\n exit;\n }\n\n // TODO: Implement payment logic using Authorize.Net API\n // Example: Call Authorize.Net API here\n // $result = $plugin-\u003echargePayment($amount, $userData);\n\n // Simulate payment success for now\n $paymentSuccess = true;\n $users_id = @User::getId();\n\n if ($paymentSuccess \u0026\u0026 !empty($users_id)) {\n $walletPlugin = AVideoPlugin::loadPluginIfEnabled(\"YPTWallet\");\n if ($walletPlugin) {\n $walletPlugin-\u003eaddBalance($users_id, $amount, \u0027Authorize.Net one-time payment\u0027);\n echo json_encode([\u0027success\u0027 =\u003e true, \u0027result\u0027 =\u003e \u0027Payment processed and wallet updated\u0027]);\n exit;\n }\n }\n```\n Vulnerable flow:\n\n 1. `$_POST[\u0027amount\u0027]` is read from the client.\n 2. The endpoint only checks that the amount is greater than zero.\n 3. The real Authorize.Net charge is not performed.\n 4. `$paymentSuccess` is hardcoded to true.\n 5. The logged-in user\u0027s wallet is credited with the client-supplied amount.\n\n There is no verification of:\n\n - Authorize.Net transaction ID\n - payment token\n - webhook signature\n - pending payment record\n - expected server-side amount\n - currency\n - duplicate transaction/replay state\n\n ### PoC\n\n Prerequisites:\n\n - AVideo with AuthorizeNet plugin enabled\n - YPTWallet plugin enabled\n - Attacker has any valid user account\n\n Steps:\n\n 1. Log in as a low-privileged user.\n 2. Open the wallet page and record the current balance.\n 3. Send the following request with the user\u0027s authenticated session cookie:\n```\n curl -i -s -b \u0027PHPSESSID=\u003cuser_session\u003e\u0027 \\\n -X POST \u0027https://target.example/plugin/AuthorizeNet/processPayment.json.php\u0027 \\\n --data \u0027amount=9999\u0026userData[note]=poc\u0027\n```\n 4. The endpoint returns:\n```\n {\"success\":true,\"result\":\"Payment processed and wallet updated\"}\n```\n 5. Refresh the wallet page.\n 6. The wallet balance is increased by 9999.\n\n No Authorize.Net hosted payment page, card payment, transaction confirmation, webhook, or server-side payment validation is required.\n\n### Impact\n\n A normal authenticated user can mint arbitrary wallet balance.\n\n Depending on the target site\u0027s configuration, this may allow the attacker to:\n\n - purchase paid videos or subscriptions without payment\n - abuse any feature backed by YPTWallet\n - transfer fake funds to other users\n - manipulate accounting or payout-related workflows\n - bypass monetization controls\n\n### Recommended fix\n\n- Remove or disable `processPayment.json.php` if it is obsolete.\n- Never credit wallet balance from client-supplied `amount` alone.\n- Use the existing Authorize.Net hosted token / webhook / transaction reconciliation flow.\n- Require a verified Authorize.Net transaction ID and server-side amount lookup before calling `addBalance()`.\n- Add regression tests proving arbitrary POSTs cannot credit a wallet.",
"id": "GHSA-9392-pj54-qqf8",
"modified": "2026-06-04T18:47:35Z",
"published": "2026-06-04T18:47:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47696"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/822402444b4db4e9442779c8c789ffe5312b3627"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint"
}
GHSA-94JH-WWGF-CMMC
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2024-03-27 15:30When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.
{
"affected": [],
"aliases": [
"CVE-2021-22947"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T20:15:00Z",
"severity": "MODERATE"
},
"details": "When curl \u003e= 7.20.0 and \u003c= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker\u0027s injected data comes from the TLS-protected server.",
"id": "GHSA-94jh-wwgf-cmmc",
"modified": "2024-03-27T15:30:35Z",
"published": "2022-05-24T19:16:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1334763"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5197"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213183"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211029-0003"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Mar/29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94MW-474Q-FXH5
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script.
{
"affected": [],
"aliases": [
"CVE-2020-19768"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-07T22:15:00Z",
"severity": "HIGH"
},
"details": "A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script.",
"id": "GHSA-94mw-474q-fxh5",
"modified": "2022-05-24T19:13:54Z",
"published": "2022-05-24T19:13:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19768"
},
{
"type": "WEB",
"url": "https://github.com/OSUPlayer/CVEs/blob/master/Suicidal/2019-07-09-02.md"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-95JH-7R58-XMXW
Vulnerability from github – Published: 2026-06-22 19:58 – Updated: 2026-06-22 19:58Summary
The Authorize.Net webhook handler at plugin/AuthorizeNet/webhook.php contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields.
Details
Three flaws combine into an exploit chain:
1. Signature Bypass via OR Logic (webhook.php:33)
if (!$parsed['signatureValid'] && (empty($txnInfo) || !empty($txnInfo['error']))) {
http_response_code(401);
echo 'invalid signature';
exit;
}
The webhook is rejected only when both conditions are true: the signature is invalid AND the transaction lookup fails. If the attacker supplies a real transaction ID (e.g., from their own $1 purchase), getTransactionDetails() succeeds and returns valid data, so the second condition is false. The invalid signature is silently ignored.
2. Payload Values Override API-Fetched Values (AuthorizeNet.php:169-171, webhook.php:44-48)
In analyzeTransactionFromWebhook(), users_id and amount are extracted from the attacker-controlled webhook payload first:
$users_id = isset($metadata['users_id']) ? (int)$metadata['users_id'] : null;
$amount = isset($payload['amount']) ? (float)$payload['amount'] : ...;
The fallback logic in webhook.php only applies when the analysis values are empty/falsy:
if (!$analysis['users_id'] && !empty($txnInfo['users_id'])) {
$analysis['users_id'] = (int)$txnInfo['users_id'];
}
if (!$analysis['amount'] && isset($txnInfo['amount'])) {
$analysis['amount'] = (float)$txnInfo['amount'];
}
Since the forged payload already provides both values, the authoritative API-fetched values are never used.
3. Missing Approval Check (webhook.php:61-75)
The code checks only that users_id and amount are non-empty before calling processSinglePayment(). The isApproved field is computed in analyzeTransactionFromWebhook() (line 222-228) but never verified before crediting the wallet at line 68-75.
PoC
Prerequisites: Attacker has a low-privileged account on the AVideo instance and has made at least one legitimate small Authorize.Net purchase (e.g., $1.00), noting the transaction ID (e.g., 60123456789).
- Immediately after the purchase completes (to race the legitimate webhook), send a forged webhook:
curl -X POST https://target.com/plugin/AuthorizeNet/webhook.php \
-H 'Content-Type: application/json' \
-d '{
"eventType": "net.authorize.payment.authcapture.created",
"payload": {
"id": "60123456789",
"amount": 99999.99,
"responseCode": 1,
"metadata": {
"users_id": 2
}
}
}'
-
The signature check fails (no
X-ANET-Signatureheader), butgetTransactionDetails('60123456789')succeeds because it is a real transaction. The OR condition on line 33 is not fully satisfied, so execution continues. -
analyzeTransactionFromWebhook()uses the forged payload'samount: 99999.99andmetadata.users_id: 2. -
processSinglePayment()credits $99,999.99 to user ID 2's wallet viaaddBalance(). -
The dedup key is
sha1('net.authorize.payment.authcapture.created' . '60123456789'), so the legitimate webhook arriving later is silently discarded as a duplicate. -
The attacker can repeat with new transaction IDs from additional small purchases for cumulative balance inflation.
Impact
- Wallet balance inflation: Attacker credits arbitrary amounts to any user's wallet without corresponding payment, bypassing the payment gateway's actual charge amount.
- Premium content access: Inflated wallet balance allows purchasing all paid/premium video content without real payment.
- Subscription fraud: By including
plans_idin forged metadata, the attacker can activate premium subscriptions (webhook.php:86-134) without corresponding payment. - Financial loss: Platform owner loses revenue from fraudulently accessed premium content and services.
Recommended Fix
1. Reject webhooks with invalid signatures unconditionally — the transaction lookup should only be used for data enrichment after signature validation passes:
// webhook.php line 33 — FIX: reject on invalid signature alone
if (!$parsed['signatureValid']) {
_error_log('[Authorize.Net webhook] Bad signature');
http_response_code(401);
echo 'invalid signature';
exit;
}
2. Use API-fetched values as authoritative — in webhook.php lines 44-55, invert the precedence so $txnInfo values always override payload values:
// Always prefer API-fetched values over payload values
if (!empty($txnInfo['users_id'])) {
$analysis['users_id'] = (int)$txnInfo['users_id'];
}
if (isset($txnInfo['amount'])) {
$analysis['amount'] = (float)$txnInfo['amount'];
}
3. Check isApproved before processing — add a gate before processSinglePayment():
if (!$analysis['isApproved']) {
_error_log('[Authorize.Net webhook] Transaction not approved');
http_response_code(400);
echo 'transaction not approved';
exit;
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 28.0"
},
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33731"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T19:58:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe Authorize.Net webhook handler at `plugin/AuthorizeNet/webhook.php` contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplying a valid transaction ID from a small legitimate purchase, the attacker bypasses signature validation and credits arbitrary wallet balances to any user account via attacker-controlled payload fields.\n\n## Details\n\nThree flaws combine into an exploit chain:\n\n### 1. Signature Bypass via OR Logic (webhook.php:33)\n\n```php\nif (!$parsed[\u0027signatureValid\u0027] \u0026\u0026 (empty($txnInfo) || !empty($txnInfo[\u0027error\u0027]))) {\n http_response_code(401);\n echo \u0027invalid signature\u0027;\n exit;\n}\n```\n\nThe webhook is rejected only when **both** conditions are true: the signature is invalid **AND** the transaction lookup fails. If the attacker supplies a real transaction ID (e.g., from their own $1 purchase), `getTransactionDetails()` succeeds and returns valid data, so the second condition is false. The invalid signature is silently ignored.\n\n### 2. Payload Values Override API-Fetched Values (AuthorizeNet.php:169-171, webhook.php:44-48)\n\nIn `analyzeTransactionFromWebhook()`, `users_id` and `amount` are extracted from the attacker-controlled webhook **payload** first:\n\n```php\n$users_id = isset($metadata[\u0027users_id\u0027]) ? (int)$metadata[\u0027users_id\u0027] : null;\n$amount = isset($payload[\u0027amount\u0027]) ? (float)$payload[\u0027amount\u0027] : ...;\n```\n\nThe fallback logic in webhook.php only applies when the analysis values are empty/falsy:\n\n```php\nif (!$analysis[\u0027users_id\u0027] \u0026\u0026 !empty($txnInfo[\u0027users_id\u0027])) {\n $analysis[\u0027users_id\u0027] = (int)$txnInfo[\u0027users_id\u0027];\n}\nif (!$analysis[\u0027amount\u0027] \u0026\u0026 isset($txnInfo[\u0027amount\u0027])) {\n $analysis[\u0027amount\u0027] = (float)$txnInfo[\u0027amount\u0027];\n}\n```\n\nSince the forged payload already provides both values, the authoritative API-fetched values are never used.\n\n### 3. Missing Approval Check (webhook.php:61-75)\n\nThe code checks only that `users_id` and `amount` are non-empty before calling `processSinglePayment()`. The `isApproved` field is computed in `analyzeTransactionFromWebhook()` (line 222-228) but **never verified** before crediting the wallet at line 68-75.\n\n## PoC\n\n**Prerequisites:** Attacker has a low-privileged account on the AVideo instance and has made at least one legitimate small Authorize.Net purchase (e.g., $1.00), noting the transaction ID (e.g., `60123456789`).\n\n1. Immediately after the purchase completes (to race the legitimate webhook), send a forged webhook:\n\n```bash\ncurl -X POST https://target.com/plugin/AuthorizeNet/webhook.php \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\n \"eventType\": \"net.authorize.payment.authcapture.created\",\n \"payload\": {\n \"id\": \"60123456789\",\n \"amount\": 99999.99,\n \"responseCode\": 1,\n \"metadata\": {\n \"users_id\": 2\n }\n }\n }\u0027\n```\n\n2. The signature check fails (no `X-ANET-Signature` header), but `getTransactionDetails(\u002760123456789\u0027)` succeeds because it is a real transaction. The OR condition on line 33 is not fully satisfied, so execution continues.\n\n3. `analyzeTransactionFromWebhook()` uses the forged payload\u0027s `amount: 99999.99` and `metadata.users_id: 2`.\n\n4. `processSinglePayment()` credits $99,999.99 to user ID 2\u0027s wallet via `addBalance()`.\n\n5. The dedup key is `sha1(\u0027net.authorize.payment.authcapture.created\u0027 . \u002760123456789\u0027)`, so the legitimate webhook arriving later is silently discarded as a duplicate.\n\n6. The attacker can repeat with new transaction IDs from additional small purchases for cumulative balance inflation.\n\n## Impact\n\n- **Wallet balance inflation:** Attacker credits arbitrary amounts to any user\u0027s wallet without corresponding payment, bypassing the payment gateway\u0027s actual charge amount.\n- **Premium content access:** Inflated wallet balance allows purchasing all paid/premium video content without real payment.\n- **Subscription fraud:** By including `plans_id` in forged metadata, the attacker can activate premium subscriptions (webhook.php:86-134) without corresponding payment.\n- **Financial loss:** Platform owner loses revenue from fraudulently accessed premium content and services.\n\n## Recommended Fix\n\n**1. Reject webhooks with invalid signatures unconditionally** \u2014 the transaction lookup should only be used for data enrichment *after* signature validation passes:\n\n```php\n// webhook.php line 33 \u2014 FIX: reject on invalid signature alone\nif (!$parsed[\u0027signatureValid\u0027]) {\n _error_log(\u0027[Authorize.Net webhook] Bad signature\u0027);\n http_response_code(401);\n echo \u0027invalid signature\u0027;\n exit;\n}\n```\n\n**2. Use API-fetched values as authoritative** \u2014 in webhook.php lines 44-55, invert the precedence so `$txnInfo` values always override payload values:\n\n```php\n// Always prefer API-fetched values over payload values\nif (!empty($txnInfo[\u0027users_id\u0027])) {\n $analysis[\u0027users_id\u0027] = (int)$txnInfo[\u0027users_id\u0027];\n}\nif (isset($txnInfo[\u0027amount\u0027])) {\n $analysis[\u0027amount\u0027] = (float)$txnInfo[\u0027amount\u0027];\n}\n```\n\n**3. Check `isApproved` before processing** \u2014 add a gate before `processSinglePayment()`:\n\n```php\nif (!$analysis[\u0027isApproved\u0027]) {\n _error_log(\u0027[Authorize.Net webhook] Transaction not approved\u0027);\n http_response_code(400);\n echo \u0027transaction not approved\u0027;\n exit;\n}\n```",
"id": "GHSA-95jh-7r58-xmxw",
"modified": "2026-06-22T19:58:51Z",
"published": "2026-06-22T19:58:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-95jh-7r58-xmxw"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/033e83ae904cacb99495dbea7cbcfb3738cf42e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data"
}
No mitigation information available for this CWE.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-148: Content Spoofing
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.
CAPEC-218: Spoofing of UDDI/ebXML Messages
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.