CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14537 vulnerabilities reference this CWE, most recent first.
GHSA-7V4C-CRF5-VP7R
Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2024-07-16 12:30The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change some of the plugin settings.
{
"affected": [],
"aliases": [
"CVE-2024-6579"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T10:15:03Z",
"severity": "MODERATE"
},
"details": "The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change some of the plugin settings.",
"id": "GHSA-7v4c-crf5-vp7r",
"modified": "2024-07-16T12:30:38Z",
"published": "2024-07-16T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6579"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vc-addons-by-bit14/tags/1.4.5/bit14-vc-addons.php#L102"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vc-addons-by-bit14/tags/1.4.5/bit14-vc-addons.php#L114"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vc-addons-by-bit14/tags/1.4.5/bit14-vc-addons.php#L125"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/746b77c9-64f8-43e8-9c2a-ce6bc35fd24c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V66-8JM8-8X7G
Vulnerability from github – Published: 2023-02-12 06:30 – Updated: 2023-02-21 21:30In cmd services, there is a OS command injection issue due to missing permission check. This could lead to local escalation of privilege with system execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2022-47339"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "In cmd services, there is a OS command injection issue due to missing permission check. This could lead to local escalation of privilege with system execution privileges needed.",
"id": "GHSA-7v66-8jm8-8x7g",
"modified": "2023-02-21T21:30:19Z",
"published": "2023-02-12T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47339"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1621031430231134210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V6H-292G-JMMF
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Dylan Blokhuis Instant CSS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Instant CSS: from n/a through 1.1.4.
{
"affected": [],
"aliases": [
"CVE-2023-38483"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:19Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Dylan Blokhuis Instant CSS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Instant CSS: from n/a through 1.1.4.",
"id": "GHSA-7v6h-292g-jmmf",
"modified": "2026-04-28T21:35:25Z",
"published": "2024-12-13T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38483"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/instant-css/vulnerability/wordpress-instant-css-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7V6J-25FH-PW8V
Vulnerability from github – Published: 2026-02-05 09:31 – Updated: 2026-02-05 09:31The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.
{
"affected": [],
"aliases": [
"CVE-2025-13416"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T09:15:50Z",
"severity": "MODERATE"
},
"details": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.",
"id": "GHSA-7v6j-25fh-pw8v",
"modified": "2026-02-05T09:31:13Z",
"published": "2026-02-05T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13416"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3448434%40profilegrid-user-profiles-groups-and-communities\u0026new=3448434%40profilegrid-user-profiles-groups-and-communities\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V7G-MH53-89HW
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-10-27 13:08Jenkins AWS Global Configuration Plugin 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions.
This allows attackers with Overall/Read permission to replace the global AWS configuration.
Jenkins AWS Global Configuration Plugin 1.6 properly performs permission checks when processing configuration form submissions.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:aws-global-configuration"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2311"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-22T03:34:41Z",
"nvd_published_at": "2020-11-04T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins AWS Global Configuration Plugin 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions.\n\nThis allows attackers with Overall/Read permission to replace the global AWS configuration.\n\nJenkins AWS Global Configuration Plugin 1.6 properly performs permission checks when processing configuration form submissions.",
"id": "GHSA-7v7g-mh53-89hw",
"modified": "2023-10-27T13:08:26Z",
"published": "2022-05-24T17:33:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2311"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/aws-global-configuration-plugin/commit/783618f98dcda35cee978c54ed8760b9436f5210"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/aws-global-configuration-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins AWS Global Configuration Plugin allows replacing plugin configuration"
}
GHSA-7V85-67Q3-8QC9
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-24 09:30The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both wp_ajax_cf7cdb_delete and wp_ajax_nopriv_cf7cdb_delete, and it performs no nonce verification, no capability check, and no ownership check before invoking $wpdb->delete() against the wp_cf7cdb_data table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.
{
"affected": [],
"aliases": [
"CVE-2026-12094"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T07:16:26Z",
"severity": "MODERATE"
},
"details": "The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb-\u003edelete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.",
"id": "GHSA-7v85-67q3-8qc9",
"modified": "2026-06-24T09:30:45Z",
"published": "2026-06-24T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12094"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/advanced-contact-form-7-compact-db/trunk/cf7cdb.php#L104"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/advanced-contact-form-7-compact-db/trunk/cf7cdb.php#L115"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/advanced-contact-form-7-compact-db/trunk/cf7cdb.php#L120"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3fa5ddd8-8166-45eb-9576-8683c1d12cc6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V92-R835-4388
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2026-04-23 15:32Missing Authorization vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a before 6.7.0.
{
"affected": [],
"aliases": [
"CVE-2024-34444"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T15:15:59Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a before 6.7.0.",
"id": "GHSA-7v92-r835-4388",
"modified": "2026-04-23T15:32:19Z",
"published": "2024-06-19T15:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34444"
},
{
"type": "WEB",
"url": "https://patchstack.com/articles/unauthenticated-xss-vulnerability-patched-in-slider-revolution-plugin?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/revslider/vulnerability/wordpress-slider-revolution-plugin-6-7-0-unauthenticated-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/revslider/wordpress-slider-revolution-plugin-6-7-0-unauthenticated-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7VF7-CQC9-QXJ2
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 18:30The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2024-1710"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:52Z",
"severity": "HIGH"
},
"details": "The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.",
"id": "GHSA-7vf7-cqc9-qxj2",
"modified": "2024-02-26T18:30:29Z",
"published": "2024-02-26T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1710"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/addon-library/trunk/inc_php/unitecreator_actions.class.php#L39"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15cf34d8-256b-495e-9385-a5d526bfb335?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7VFX-4246-JCFH
Vulnerability from github – Published: 2026-06-26 22:20 – Updated: 2026-06-26 22:20Summary
Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.
Findings
1. Cross-User API Token Revocation (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokens.php, lines 50-55
The revoke() LiveAction accepts any ApiToken via #[LiveArg] without checking ownership. The apiTokens() method correctly filters by user (getApiTokensForUser($this->security->getUser())).
#[LiveAction]
public function revoke(#[LiveArg] ApiToken $token): void
{
$this->apiTokenRepository->revoke($token); // No ownership check
}
2. Cross-User API Token History Disclosure (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokenHistory.php, lines 30-55
The writable $token LiveProp performs $this->apiTokenRepository->find($this->token) without user verification. Exposes IP addresses, request methods, paths, and user agents from other users' API token usage.
3. Cross-User Notification Transport Settings Disclosure (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationIntegrations.php, lines 48-55
The integration() method performs $this->repository->find($this->setting) using a writable LiveProp without user check. The enabledIntegrations() method correctly filters: $this->repository->findBy(['user' => $this->getUser()]).
The TransportSetting entity stores notification credentials in a JSON settings column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.
4. Cross-User Notification Transport Setting Takeover (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php, lines 39-40, 84-101
The writable $setting LiveProp accepts any TransportSetting entity. The save() action overwrites the user field with the current user via $setting->setUser($user), effectively stealing the transport configuration and its stored credentials.
Root Cause
The application relies on Doctrine's CompanyFilter for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don't verify ownership.
Suggested Fix
Add user ownership verification in each LiveAction/LiveProp before performing operations:
if ($token->getUser() !== $this->security->getUser()) {
throw $this->createAccessDeniedException();
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.15"
},
"package": {
"ecosystem": "Packagist",
"name": "solidinvoice/solidinvoice"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:20:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nFour authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users\u0027 API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.\n\n## Findings\n\n### 1. Cross-User API Token Revocation (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokens.php`, lines 50-55\n\nThe `revoke()` LiveAction accepts any `ApiToken` via `#[LiveArg]` without checking ownership. The `apiTokens()` method correctly filters by user (`getApiTokensForUser($this-\u003esecurity-\u003egetUser())`).\n\n```php\n#[LiveAction]\npublic function revoke(#[LiveArg] ApiToken $token): void\n{\n $this-\u003eapiTokenRepository-\u003erevoke($token); // No ownership check\n}\n```\n\n### 2. Cross-User API Token History Disclosure (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokenHistory.php`, lines 30-55\n\nThe writable `$token` LiveProp performs `$this-\u003eapiTokenRepository-\u003efind($this-\u003etoken)` without user verification. Exposes IP addresses, request methods, paths, and user agents from other users\u0027 API token usage.\n\n### 3. Cross-User Notification Transport Settings Disclosure (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationIntegrations.php`, lines 48-55\n\nThe `integration()` method performs `$this-\u003erepository-\u003efind($this-\u003esetting)` using a writable LiveProp without user check. The `enabledIntegrations()` method correctly filters: `$this-\u003erepository-\u003efindBy([\u0027user\u0027 =\u003e $this-\u003egetUser()])`.\n\nThe `TransportSetting` entity stores notification credentials in a JSON `settings` column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.\n\n### 4. Cross-User Notification Transport Setting Takeover (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php`, lines 39-40, 84-101\n\nThe writable `$setting` LiveProp accepts any `TransportSetting` entity. The `save()` action overwrites the user field with the current user via `$setting-\u003esetUser($user)`, effectively stealing the transport configuration and its stored credentials.\n\n## Root Cause\n\nThe application relies on Doctrine\u0027s `CompanyFilter` for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don\u0027t verify ownership.\n\n## Suggested Fix\n\nAdd user ownership verification in each LiveAction/LiveProp before performing operations:\n```php\nif ($token-\u003egetUser() !== $this-\u003esecurity-\u003egetUser()) {\n throw $this-\u003ecreateAccessDeniedException();\n}\n```",
"id": "GHSA-7vfx-4246-jcfh",
"modified": "2026-06-26T22:20:50Z",
"published": "2026-06-26T22:20:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-7vfx-4246-jcfh"
},
{
"type": "PACKAGE",
"url": "https://github.com/SolidInvoice/SolidInvoice"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings"
}
GHSA-7VJM-98MV-66RQ
Vulnerability from github – Published: 2023-09-04 03:30 – Updated: 2024-04-04 07:24In ims service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges
{
"affected": [],
"aliases": [
"CVE-2023-38466"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T02:15:10Z",
"severity": "MODERATE"
},
"details": "In ims service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges",
"id": "GHSA-7vjm-98mv-66rq",
"modified": "2024-04-04T07:24:10Z",
"published": "2023-09-04T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38466"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1698296481653522434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.