Common Weakness Enumeration

CWE-807

Allowed

Reliance on Untrusted Inputs in a Security Decision

Abstraction: Base · Status: Incomplete

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

145 vulnerabilities reference this CWE, most recent first.

GHSA-RRH4-6QQP-9MPV

Vulnerability from github – Published: 2025-11-06 21:31 – Updated: 2025-11-06 21:31
VLAI
Details

oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation-webui. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the trust_remote_code parameter provided to the load endpoint. The issue results from the lack of proper validation of a user-supplied argument before using it to load a model. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-26680.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T21:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of oobabooga text-generation-webui. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the trust_remote_code parameter provided to the load endpoint. The issue results from the lack of proper validation of a user-supplied argument before using it to load a model. An attacker can leverage this vulnerability to execute code in the context of the service account.\n. Was ZDI-CAN-26680.",
  "id": "GHSA-rrh4-6qqp-9mpv",
  "modified": "2025-11-06T21:31:31Z",
  "published": "2025-11-06T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oobabooga/text-generation-webui/commit/b5a6904c4ac4049823396090360b6f566f4e4603"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-981"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RXQH-7QX7-59M3

Vulnerability from github – Published: 2024-11-05 12:31 – Updated: 2024-11-07 12:30
VLAI
Details

In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T10:20:04Z",
    "severity": "MODERATE"
  },
  "details": "In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient \nVerification of Data Authenticity vulnerability could allow an attacker \nto escalate their privileges and gain root access to the system.",
  "id": "GHSA-rxqh-7qx7-59m3",
  "modified": "2024-11-07T12:30:34Z",
  "published": "2024-11-05T12:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47254"
    },
    {
      "type": "WEB",
      "url": "https://www.2n.com/en-GB/about-2n/cybersecurity"
    },
    {
      "type": "WEB",
      "url": "https://www.2n.com/en-GB/download/Access-Commander-Security-Advisory-2024-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V226-32C7-X2V7

Vulnerability from github – Published: 2026-02-10 00:29 – Updated: 2026-02-10 02:57
VLAI
Summary
Cube Core is vulnerable to privilege escalation via a specially crafted request
Details

Impact

It is possible to make a specially crafted request with a valid API token that leads to privilege escalation.

Affected Versions:

≥= 0.27.19

Mitigation:

Upgrade to a patched version:

  • 1.5.13 and later (regular release)
  • 1.4.2 (active LTS release)
  • 1.0.14 (end-of-life LTS release)

References

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cubejs-backend/server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.27.19"
            },
            {
              "fixed": "1.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cubejs-backend/server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cubejs-backend/server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:29:07Z",
    "nvd_published_at": "2026-02-09T23:16:06Z",
    "severity": "HIGH"
  },
  "details": "### **Impact**\n\nIt is possible to make a specially crafted request with a valid API token that leads to privilege escalation.\n\n### Affected Versions:\n\n`\u2265= 0.27.19` \n\n### Mitigation:\n\nUpgrade to a patched version:\n\n- 1.5.13 and later (regular release)\n- 1.4.2 (active\u00a0[LTS release](https://cube.dev/docs/product/administration/distribution#long-term-support))\n- 1.0.14 (end-of-life LTS release)\n\n### **References**\n\nThe issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.",
  "id": "GHSA-v226-32c7-x2v7",
  "modified": "2026-02-10T02:57:34Z",
  "published": "2026-02-10T00:29:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25958"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cube-js/cube"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cube Core is vulnerable to privilege escalation via a specially crafted request"
}

GHSA-V5JF-VJFX-FRFR

Vulnerability from github – Published: 2026-04-02 09:30 – Updated: 2026-04-16 21:31
VLAI
Details

SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-29134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-02T09:16:21Z",
    "severity": "MODERATE"
  },
  "details": "SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.",
  "id": "GHSA-v5jf-vjfx-frfr",
  "modified": "2026-04-16T21:31:09Z",
  "published": "2026-04-02T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29134"
    },
    {
      "type": "WEB",
      "url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VHJM-W3VW-G6JW

Vulnerability from github – Published: 2025-03-12 21:31 – Updated: 2025-03-12 21:31
VLAI
Details

A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM.

GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T19:15:37Z",
    "severity": "HIGH"
  },
  "details": "A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\\SYSTEM.\n\nGlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.",
  "id": "GHSA-vhjm-w3vw-g6jw",
  "modified": "2025-03-12T21:31:29Z",
  "published": "2025-03-12T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0117"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJ7P-X3WH-G79X

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 15:30
VLAI
Details

Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to become unresponsive or terminate abnormally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-23T14:16:26Z",
    "severity": "MODERATE"
  },
  "details": "Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to become unresponsive or terminate abnormally.",
  "id": "GHSA-vj7p-x3wh-g79x",
  "modified": "2026-03-24T15:30:26Z",
  "published": "2026-03-24T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25621"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46127"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/pixel-studio-denial-of-service-via-malformed-input"
    },
    {
      "type": "WEB",
      "url": "http://www.pixarra.com"
    },
    {
      "type": "WEB",
      "url": "http://www.pixarra.com/uploads/9/4/6/3/94635436/tbpixelstudio_install.exe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VVGP-4C28-M3JM

Vulnerability from github – Published: 2026-03-03 21:52 – Updated: 2026-03-30 13:38
VLAI
Summary
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
Details

Summary

A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods.

Impact

With trusted-proxy authentication enabled, a node role websocket client could skip pairing by using client.id=control-ui. That created an authorization boundary bypass from a node-scoped connection into node event execution flows.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected range: <= 2026.2.24
  • Latest published vulnerable version: 2026.2.24
  • Patched in next release: 2026.2.25 (pre-set below so this advisory is ready to publish after npm release)

Fix

The trusted-proxy Control UI bypass now additionally requires role === "operator".

Fix Commit(s)

  • ec45c317f5d0631a3d333b236da58c4749ede2a3

Release Process Note

patched_versions is intentionally pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.2.25` is published, the remaining GHSA action is to publish this advisory.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32057"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:52:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nA trusted-proxy Control UI pairing bypass accepted `client.id=control-ui` without device identity checks. The bypass did not require `operator` role, so an authenticated `node` role session could connect unpaired and reach node event methods.\n\n## Impact\nWith trusted-proxy authentication enabled, a `node` role websocket client could skip pairing by using `client.id=control-ui`. That created an authorization boundary bypass from a node-scoped connection into node event execution flows.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected range: `\u003c= 2026.2.24`\n- Latest published vulnerable version: `2026.2.24`\n- Patched in next release: `2026.2.25` (pre-set below so this advisory is ready to publish after npm release)\n\n## Fix\nThe trusted-proxy Control UI bypass now additionally requires `role === \"operator\"`.\n\n### Fix Commit(s)\n- `ec45c317f5d0631a3d333b236da58c4749ede2a3`\n\n## Release Process Note\n`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.2.25` is published, the remaining GHSA action is to publish this advisory.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-vvgp-4c28-m3jm",
  "modified": "2026-03-30T13:38:27Z",
  "published": "2026-03-03T21:52:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32057"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions"
}

GHSA-W28C-F4W5-MFWH

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-06 18:30
VLAI
Details

Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low)",
  "id": "GHSA-w28c-f4w5-mfwh",
  "modified": "2024-08-06T18:30:57Z",
  "published": "2024-08-06T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7005"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/40068800"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6RQ-6H34-VH7Q

Vulnerability from github – Published: 2021-07-01 17:02 – Updated: 2021-09-01 19:32
VLAI
Summary
Cached redirect poisoning via X-Forwarded-Host header
Details

A user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key.

Users are only vulnerable if they do not configure a custom PublicAddress instance. A custom PublicAddress can be specified by using ServerConfigBuilder::publicAddress. For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of PublicAddress which is vulnerable.

Impact

This can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.

Patches

As of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:

  1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port
  2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is

Workarounds

In production, ensure that ServerConfigBuilder::publicAddress correctly configures the server.

References

  • https://portswigger.net/web-security/web-cache-poisoning
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.ratpack:ratpack-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-30T17:50:31Z",
    "nvd_published_at": "2021-06-29T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A user supplied `X-Forwarded-Host` header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the `X-Forwarded-Host` header as a cache key.\n\nUsers are only vulnerable if they do not configure a custom `PublicAddress` instance. A custom `PublicAddress` can be specified by using [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-). For versions prior to 1.9.0, by default, Ratpack utilizes an inferring version of `PublicAddress` which is vulnerable.\n\n### Impact\n\nThis can be used to perform redirect cache poisoning where an attacker can force a cached redirect to redirect to their site instead of the intended redirect location.\n\n### Patches\n\nAs of Ratpack 1.9.0, two changes have been made that mitigate this vulnerability:\n\n1. The default PublicAddress implementation no longer infers the address from the request context, instead relying on the configured bind host/port\n2. Relative redirects issued by the application are no longer absolutized; they are passed through as-is\n\n### Workarounds\n\nIn production, ensure that [ServerConfigBuilder::publicAddress](https://ratpack.io/manual/current/api/ratpack/server/ServerConfigBuilder.html#publicAddress-java.net.URI-) correctly configures the server.\n\n### References\n - https://portswigger.net/web-security/web-cache-poisoning",
  "id": "GHSA-w6rq-6h34-vh7q",
  "modified": "2021-09-01T19:32:52Z",
  "published": "2021-07-01T17:02:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29479"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ratpack/ratpack"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/web-cache-poisoning"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cached redirect poisoning via X-Forwarded-Host header"
}

GHSA-WJJV-5WQM-9J59

Vulnerability from github – Published: 2024-11-04 15:31 – Updated: 2024-11-06 18:31
VLAI
Details

This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process.

Successful exploitation of this vulnerability could allow the attacker to bypass OTP verification for accessing other user accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T13:17:05Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process.  \n\nSuccessful exploitation of this vulnerability could allow the attacker to bypass OTP verification for accessing other user accounts.",
  "id": "GHSA-wjjv-5wqm-9j59",
  "modified": "2024-11-06T18:31:05Z",
  "published": "2024-11-04T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51561"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-14
Architecture and Design

Strategy: Attack Surface Reduction

  • Store state information and sensitive data on the server side only.
  • Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.
  • If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).
Mitigation MIT-4.2
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • With a stateless protocol such as HTTP, use a framework that maintains the state for you.
  • Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45].
  • Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Identify all inputs that are used for security decisions and determine if you can modify the design so that you do not have to rely on submitted inputs at all. For example, you may be able to keep critical information about the user's session on the server side instead of recording it within external data.

No CAPEC attack patterns related to this CWE.