Common Weakness Enumeration

CWE-841

Allowed

Improper Enforcement of Behavioral Workflow

Abstraction: Class · Status: Incomplete

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

87 vulnerabilities reference this CWE, most recent first.

GHSA-8XGV-33F9-23FM

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-8xgv-33f9-23fm",
  "modified": "2025-10-14T18:30:30Z",
  "published": "2025-10-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55330"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96FR-RV8Q-2885

Vulnerability from github – Published: 2025-12-01 15:30 – Updated: 2026-06-04 09:30
VLAI
Details

Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse.This issue affects Onaylarım: from 25.09.26.01 through 18112025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T15:15:48Z",
    "severity": "LOW"
  },
  "details": "Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylar\u0131m allows Functionality Misuse.This issue affects Onaylar\u0131m: from 25.09.26.01 through 18112025.",
  "id": "GHSA-96fr-rv8q-2885",
  "modified": "2026-06-04T09:30:33Z",
  "published": "2025-12-01T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13129"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0422"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0422"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C537-PF3W-23P5

Vulnerability from github – Published: 2024-02-21 09:31 – Updated: 2025-11-04 21:31
VLAI
Details

A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1. A user's private browsing activity may be unexpectedly saved in the App Privacy Report.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T07:15:50Z",
    "severity": "LOW"
  },
  "details": "A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1. A user\u0027s private browsing activity may be unexpectedly saved in the App Privacy Report.",
  "id": "GHSA-c537-pf3w-23p5",
  "modified": "2025-11-04T21:31:11Z",
  "published": "2024-02-21T09:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42939"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213982"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7XW-P58W-H6FJ

Vulnerability from github – Published: 2023-07-18 19:12 – Updated: 2023-07-18 19:12
VLAI
Summary
Keycloak: Impersonation and lockout possible through incorrect handling of email trust
Details

Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-841"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-18T19:12:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them.",
  "id": "GHSA-c7xw-p58w-h6fj",
  "modified": "2023-07-18T19:12:28Z",
  "published": "2023-07-18T19:12:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-c7xw-p58w-h6fj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/87a50d3ba790b049e436c9925874f9b418af7988"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158910"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak: Impersonation and lockout possible through incorrect handling of email trust"
}

GHSA-CXRR-H279-673F

Vulnerability from github – Published: 2024-01-11 00:30 – Updated: 2024-01-17 18:31
VLAI
Details

A logic issue was addressed with improved checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. Location data may be shared via iCloud links even if Location metadata is disabled via the Share Sheet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T22:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. Location data may be shared via iCloud links even if Location metadata is disabled via the Share Sheet.",
  "id": "GHSA-cxrr-h279-673f",
  "modified": "2024-01-17T18:31:35Z",
  "published": "2024-01-11T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46710"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213530"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213532"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F99X-GWVM-JPFM

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-f99x-gwvm-jpfm",
  "modified": "2025-10-14T18:30:30Z",
  "published": "2025-10-14T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55337"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55337"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGQP-CJ3R-63FM

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-fgqp-cj3r-63fm",
  "modified": "2025-10-14T18:30:31Z",
  "published": "2025-10-14T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55682"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55682"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJJX-Q8WJ-9P75

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a \u201croot\u201d user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.",
  "id": "GHSA-fjjx-q8wj-9p75",
  "modified": "2022-07-07T00:00:27Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2105"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G886-73CF-92QR

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30
VLAI
Details

IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:17:54Z",
    "severity": "LOW"
  },
  "details": "IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.",
  "id": "GHSA-g886-73cf-92qr",
  "modified": "2026-03-16T15:30:41Z",
  "published": "2026-03-16T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13459"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7263486"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J72M-JWMC-PQV8

Vulnerability from github – Published: 2023-05-03 12:30 – Updated: 2024-04-04 03:47
VLAI
Details

An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.

This issue affects:

Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-841"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-03T12:16:44Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible.\n\nThis issue affects:\n\nAmazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. \nInsignia TV with FireOS versions prior to 7.6.3.3.",
  "id": "GHSA-j72m-jwmc-pqv8",
  "modified": "2024-04-04T03:47:11Z",
  "published": "2023-05-03T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1383"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.