CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14544 vulnerabilities reference this CWE, most recent first.
GHSA-7R9P-F462-32JP
Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in wpshuffle Subscribe To Unlock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe To Unlock: from n/a through 1.1.5.
{
"affected": [],
"aliases": [
"CVE-2025-60152"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T09:15:43Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in wpshuffle Subscribe To Unlock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe To Unlock: from n/a through 1.1.5.",
"id": "GHSA-7r9p-f462-32jp",
"modified": "2026-04-01T18:36:22Z",
"published": "2025-09-26T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60152"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/subscribe-to-unlock/vulnerability/wordpress-subscribe-to-unlock-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RCX-JJ9Q-R3RJ
Vulnerability from github – Published: 2023-09-04 03:30 – Updated: 2024-04-04 07:23In vowifiservice, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges
{
"affected": [],
"aliases": [
"CVE-2023-38441"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T02:15:08Z",
"severity": "MODERATE"
},
"details": "In vowifiservice, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges",
"id": "GHSA-7rcx-jj9q-r3rj",
"modified": "2024-04-04T07:23:20Z",
"published": "2023-09-04T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38441"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1698296481653522434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RFW-95JM-3H4C
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-06 15:31Missing Authorization vulnerability in WPXPO WowAddons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowAddons: from n/a through 1.0.17.
{
"affected": [],
"aliases": [
"CVE-2025-57958"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:15:54Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WPXPO WowAddons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowAddons: from n/a through 1.0.17.",
"id": "GHSA-7rfw-95jm-3h4c",
"modified": "2026-04-06T15:31:22Z",
"published": "2025-09-22T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57958"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/product-addons/vulnerability/wordpress-wowaddons-plugin-1-0-17-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RFW-QH9G-VG98
Vulnerability from github – Published: 2023-02-27 15:30 – Updated: 2023-03-07 18:30A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.
{
"affected": [],
"aliases": [
"CVE-2023-27264"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API.",
"id": "GHSA-7rfw-qh9g-vg98",
"modified": "2023-03-07T18:30:39Z",
"published": "2023-02-27T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27264"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RGC-R95X-R2M3
Vulnerability from github – Published: 2025-11-26 18:31 – Updated: 2025-12-03 21:31Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
{
"affected": [],
"aliases": [
"CVE-2025-46175"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T17:15:45Z",
"severity": "HIGH"
},
"details": "Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.",
"id": "GHSA-7rgc-r95x-r2m3",
"modified": "2025-12-03T21:31:02Z",
"published": "2025-11-26T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46175"
},
{
"type": "WEB",
"url": "https://gist.github.com/Han-tj/74d2ed84ede1909da55090fed410d288"
},
{
"type": "WEB",
"url": "https://gitee.com/y_project/RuoYi/commit/f935b2782f4237cdbcc13bdce76703e82c42f4fe"
},
{
"type": "WEB",
"url": "https://gitee.com/y_project/RuoYi/issues/IC1FS0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RGQ-5GWV-QV9H
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31Missing Authorization vulnerability in WPClever WPC Product Bundles for WooCommerce woo-product-bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Product Bundles for WooCommerce: from n/a through <= 8.4.5.
{
"affected": [],
"aliases": [
"CVE-2026-32406"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:57Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WPClever WPC Product Bundles for WooCommerce woo-product-bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Product Bundles for WooCommerce: from n/a through \u003c= 8.4.5.",
"id": "GHSA-7rgq-5gwv-qv9h",
"modified": "2026-03-13T21:31:49Z",
"published": "2026-03-13T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32406"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-bundle/vulnerability/wordpress-wpc-product-bundles-for-woocommerce-plugin-8-4-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RH8-VJ62-QFCG
Vulnerability from github – Published: 2025-04-21 15:31 – Updated: 2025-04-21 15:31An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files.
Affected versions: * Any version of Dremio below 24.0.0
-
Dremio 24.3.0 - 24.3.16
-
Dremio 25.0.0 - 25.0.14
-
Dremio 25.1.0 - 25.1.7
-
Dremio 25.2.0 - 25.2.4
Fixed in version: * Dremio 24.3.17 and above
-
Dremio 25.0.15 and above
-
Dremio 25.1.8 and above
-
Dremio 25.2.5 and above
-
Dremio 26.0.0 and above
{
"affected": [],
"aliases": [
"CVE-2025-2298"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-21T15:16:00Z",
"severity": "HIGH"
},
"details": "An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files.\n\nAffected versions:\n * Any version of Dremio below 24.0.0\n\n\n * Dremio 24.3.0 - 24.3.16\n\n\n * Dremio 25.0.0 - 25.0.14\n\n\n * Dremio 25.1.0 - 25.1.7\n\n\n * Dremio 25.2.0 - 25.2.4\n\n\n\n\n\nFixed in version:\u00a0\n * Dremio 24.3.17 and above\n\n\n * Dremio 25.0.15 and above\n\n\n * Dremio 25.1.8 and above\n\n\n * Dremio 25.2.5 and above\n\n\n * Dremio 26.0.0 and above",
"id": "GHSA-7rh8-vj62-qfcg",
"modified": "2025-04-21T15:31:26Z",
"published": "2025-04-21T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2298"
},
{
"type": "WEB",
"url": "https://docs.dremio.com/current/reference/bulletins/2025-04-21-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7RJH-PX4V-5W55
Vulnerability from github – Published: 2026-05-08 19:50 – Updated: 2026-05-15 23:52Channel Access Grants Bypass filter_allowed_access_grants
Affected Component
Channel creation and update endpoints:
- backend/open_webui/routers/channels.py (lines 291-340, create_new_channel)
- backend/open_webui/routers/channels.py (lines 617-638, update_channel_by_id)
- backend/open_webui/models/channels.py (lines 825-826, set_access_grants call without filtering)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions supporting user-created group channels with access grants.
Description
All resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call filter_allowed_access_grants() before persisting access grants. This function strips principal_id: "*" wildcard grants from users who lack the relevant sharing.public_* permission, and strips individual user grants from users who lack access_grants.allow_users permission.
The channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework.
# channels.py — access_grants from form data flow directly into persistence
# No call to filter_allowed_access_grants() anywhere in these paths.
# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,
# all of which do:
# form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)
# before creating or updating.
Attack Scenario
- Admin configures permissions so that regular users do NOT have
sharing.public_channels— public sharing of channels is intended to be admin-only. - Attacker (a regular user) creates or owns a group channel.
- Attacker sends:
POST /api/v1/channels/ { "name": "public-channel", "type": "group", "access_control": { "access_grants": [ {"principal_type": "user", "principal_id": "*", "permission": "read"} ] } } set_access_grantsis called directly withoutfilter_allowed_access_grants— the wildcard grant is persisted.- The channel becomes publicly readable to every user on the instance, despite the admin's policy prohibiting public channels for regular users.
The same attack works via POST /api/v1/channels/{id}/update for any channel the attacker owns.
Impact
- Regular users can bypass the
sharing.public_channelspermission and make channels publicly accessible - Regular users can bypass
access_grants.allow_usersto grant individual-user access in environments where only group-based sharing is intended - Admin's permission framework for channels is silently ineffective
- Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about
Preconditions
- Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel
- Admin must have configured restrictive sharing permissions for regular users (otherwise there's no policy to bypass)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.12"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44558"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:50:51Z",
"nvd_published_at": "2026-05-15T20:16:47Z",
"severity": "MODERATE"
},
"details": "# Channel Access Grants Bypass filter_allowed_access_grants\n\n## Affected Component\n\nChannel creation and update endpoints:\n- `backend/open_webui/routers/channels.py` (lines 291-340, `create_new_channel`)\n- `backend/open_webui/routers/channels.py` (lines 617-638, `update_channel_by_id`)\n- `backend/open_webui/models/channels.py` (lines 825-826, `set_access_grants` call without filtering)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions supporting user-created group channels with access grants.\n\n## Description\n\nAll resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call `filter_allowed_access_grants()` before persisting access grants. This function strips `principal_id: \"*\"` wildcard grants from users who lack the relevant `sharing.public_*` permission, and strips individual user grants from users who lack `access_grants.allow_users` permission.\n\nThe channel router does not call `filter_allowed_access_grants` on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants \u2014 including public wildcard grants \u2014 and those grants are stored verbatim, bypassing the admin\u0027s permission framework.\n\n```python\n# channels.py \u2014 access_grants from form data flow directly into persistence\n# No call to filter_allowed_access_grants() anywhere in these paths.\n\n# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,\n# all of which do:\n# form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)\n# before creating or updating.\n```\n\n## Attack Scenario\n\n1. Admin configures permissions so that regular users do NOT have `sharing.public_channels` \u2014 public sharing of channels is intended to be admin-only.\n2. Attacker (a regular user) creates or owns a group channel.\n3. Attacker sends:\n ```\n POST /api/v1/channels/\n {\n \"name\": \"public-channel\",\n \"type\": \"group\",\n \"access_control\": {\n \"access_grants\": [\n {\"principal_type\": \"user\", \"principal_id\": \"*\", \"permission\": \"read\"}\n ]\n }\n }\n ```\n4. `set_access_grants` is called directly without `filter_allowed_access_grants` \u2014 the wildcard grant is persisted.\n5. The channel becomes publicly readable to every user on the instance, despite the admin\u0027s policy prohibiting public channels for regular users.\n\nThe same attack works via `POST /api/v1/channels/{id}/update` for any channel the attacker owns.\n\n## Impact\n\n- Regular users can bypass the `sharing.public_channels` permission and make channels publicly accessible\n- Regular users can bypass `access_grants.allow_users` to grant individual-user access in environments where only group-based sharing is intended\n- Admin\u0027s permission framework for channels is silently ineffective\n- Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about\n\n## Preconditions\n\n- Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel\n- Admin must have configured restrictive sharing permissions for regular users (otherwise there\u0027s no policy to bypass)",
"id": "GHSA-7rjh-px4v-5w55",
"modified": "2026-05-15T23:52:41Z",
"published": "2026-05-08T19:50:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rjh-px4v-5w55"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44558"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI\u0027s Channel Access Grants Bypass filter_allowed_access_grants"
}
GHSA-7RJP-FGWJ-47RW
Vulnerability from github – Published: 2022-01-28 22:14 – Updated: 2022-02-02 16:17Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shenyu:shenyu-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23945"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-26T22:42:09Z",
"nvd_published_at": "2022-01-25T13:15:00Z",
"severity": "HIGH"
},
"details": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.",
"id": "GHSA-7rjp-fgwj-47rw",
"modified": "2022-02-02T16:17:08Z",
"published": "2022-01-28T22:14:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23945"
},
{
"type": "WEB",
"url": "https://github.com/apache/shenyu/pull/2723"
},
{
"type": "WEB",
"url": "https://github.com/apache/shenyu/commit/9a02215013037e1cc8cd41f216164628a9e9e28f"
},
{
"type": "WEB",
"url": "https://github.com/apache/incubator-shenyu"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing authentication in ShenYu"
}
GHSA-7RM4-78M3-R89P
Vulnerability from github – Published: 2022-12-12 18:30 – Updated: 2022-12-15 00:30The WooCommerce Shipping WordPress plugin through 1.2.11 does not have authorisation and CRSF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.
{
"affected": [],
"aliases": [
"CVE-2022-3999"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T18:15:00Z",
"severity": "HIGH"
},
"details": "The WooCommerce Shipping WordPress plugin through 1.2.11 does not have authorisation and CRSF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.",
"id": "GHSA-7rm4-78m3-r89p",
"modified": "2022-12-15T00:30:15Z",
"published": "2022-12-12T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3999"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/625ae924-68db-4579-a34f-e6f33aa33643"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.