CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14556 vulnerabilities reference this CWE, most recent first.
GHSA-8CH6-WP35-JV3J
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-26369"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:37Z",
"severity": "HIGH"
},
"details": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.",
"id": "GHSA-8ch6-wp35-jv3j",
"modified": "2025-02-12T15:32:01Z",
"published": "2025-02-12T15:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26369"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8CHJ-QW3C-W355
Vulnerability from github – Published: 2024-02-09 06:32 – Updated: 2026-04-08 18:32The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.
{
"affected": [],
"aliases": [
"CVE-2024-1122"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-09T05:15:08Z",
"severity": "MODERATE"
},
"details": "The Event Manager, Events Calendar, Events Tickets for WooCommerce \u2013 Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.",
"id": "GHSA-8chj-qw3c-w355",
"modified": "2026-04-08T18:32:35Z",
"published": "2024-02-09T06:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1122"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3033231/wp-event-solution/tags/3.3.51/core/admin/hooks.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8CM3-4QFX-PWVC
Vulnerability from github – Published: 2024-10-11 15:30 – Updated: 2024-10-11 15:30The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
{
"affected": [],
"aliases": [
"CVE-2024-9707"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T13:15:21Z",
"severity": "CRITICAL"
},
"details": "The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.",
"id": "GHSA-8cm3-4qfx-pwvc",
"modified": "2024-10-11T15:30:33Z",
"published": "2024-10-11T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9707"
},
{
"type": "WEB",
"url": "https://github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php#L46"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3166501%40hunk-companion\u0026new=3166501%40hunk-companion\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/hunk-companion"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8CMP-8CWC-QCV3
Vulnerability from github – Published: 2025-08-15 03:30 – Updated: 2025-08-15 03:30The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
{
"affected": [],
"aliases": [
"CVE-2025-8342"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-15T03:15:36Z",
"severity": "HIGH"
},
"details": "The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.",
"id": "GHSA-8cmp-8cwc-qcv3",
"modified": "2025-08-15T03:30:31Z",
"published": "2025-08-15T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8342"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4358"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4373"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3338150%40login-with-phone-number\u0026new=3338150%40login-with-phone-number\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e74582f-8e94-4cba-a3eb-0a823a5235ad?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8CMQ-FRJC-CJC8
Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-06-14 06:34Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.
{
"affected": [],
"aliases": [
"CVE-2023-51377"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T06:15:09Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.",
"id": "GHSA-8cmq-frjc-cjc8",
"modified": "2024-06-14T06:34:48Z",
"published": "2024-06-14T06:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51377"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8CP8-922F-XC53
Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8.
{
"affected": [],
"aliases": [
"CVE-2024-52395"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T17:15:54Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8.",
"id": "GHSA-8cp8-922f-xc53",
"modified": "2026-04-01T18:32:34Z",
"published": "2024-11-19T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52395"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/shop-assistant-for-woocommerce-jarvis/vulnerability/wordpress-floating-buttons-for-woocommerce-plugin-2-8-8-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/shop-assistant-for-woocommerce-jarvis/wordpress-floating-buttons-for-woocommerce-plugin-2-8-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8CQ7-M6J9-QW55
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in Sharaz Shahid Simple Sticky Add To Cart For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Sticky Add To Cart For WooCommerce: from n/a through 1.4.5.
{
"affected": [],
"aliases": [
"CVE-2025-31854"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T15:16:26Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Sharaz Shahid Simple Sticky Add To Cart For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Sticky Add To Cart For WooCommerce: from n/a through 1.4.5.",
"id": "GHSA-8cq7-m6j9-qw55",
"modified": "2026-04-01T18:34:22Z",
"published": "2025-04-01T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31854"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/sticky-add-to-cart-woo/vulnerability/wordpress-simple-sticky-add-to-cart-for-woocommerce-plugin-1-4-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8CW5-2QQR-3XVC
Vulnerability from github – Published: 2025-01-22 15:32 – Updated: 2026-04-01 18:33Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.
{
"affected": [],
"aliases": [
"CVE-2025-23684"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-22T15:15:21Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Tool: from n/a through 2.2.",
"id": "GHSA-8cw5-2qqr-3xvc",
"modified": "2026-04-01T18:33:21Z",
"published": "2025-01-22T15:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23684"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/debug-tool/vulnerability/wordpress-debug-tool-plugin-2-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8CW5-9CWW-C669
Vulnerability from github – Published: 2024-06-09 09:30 – Updated: 2024-06-09 09:30Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.
{
"affected": [],
"aliases": [
"CVE-2023-52232"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-09T09:15:09Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.",
"id": "GHSA-8cw5-9cww-c669",
"modified": "2024-06-09T09:30:34Z",
"published": "2024-06-09T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52232"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/booster-plus-for-woocommerce/wordpress-booster-plus-for-woocommerce-plugin-7-1-2-authenticated-arbitrary-post-page-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8CW6-53M5-4932
Vulnerability from github – Published: 2026-01-27 22:13 – Updated: 2026-01-29 03:43Summary
StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.
Details
The Issue:
The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate:
1. User role (should require Editor/Admin/Owner)
2. Content ownership (should verify the draft belongs to the user)
This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.
PoC
- User A: Editor role (example username:
dummy04) - User B: Visitor role (example username:
dummy01)
Reproduction Steps:
Step 1 - Create draft as Editor:
- Login as User A (Editor role)
- Navigate to:
http://localhost:4321/dashboard/content-management - Create new content (it will stay as draft)
- After saving, note the UUID in the URL:
http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148
Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148
Step 2 - Access draft as Visitor:
- Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'
-
Proof of Visitor permission
-
Access Editor's draft using the UUID
curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v
Result: Returns full HTML page with draft content (200 OK)
Impact
Impact Scenarios:
- Information Disclosure:
- Visitor users can read unpublished drafts containing sensitive information
- Drafts may contain confidential business information, unreleased announcements, or proprietary content
-
Competitive intelligence could be gathered from draft content
-
Privacy Violation:
- Personal notes, work-in-progress content, or internal communications in drafts exposed
-
Violation of content creator privacy expectations
-
Business Impact:
- Premature disclosure of marketing campaigns, product launches, or announcements
- Loss of competitive advantage if draft strategies are exposed
-
Potential compliance issues if drafts contain regulated information
-
Complete RBAC Bypass:
- The entire role-based access control system for draft content is bypassed
- "Visitor" role becomes equivalent to "Editor" for read access to drafts
- Undermines the trust model of multi-user content management
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "studiocms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24134"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-27T22:13:52Z",
"nvd_published_at": "2026-01-28T00:15:50Z",
"severity": "MODERATE"
},
"details": "### Summary\nStudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the \"Visitor\" role to access draft content created by Editor/Admin/Owner users.\n\n### Details\n**The Issue:**\nThe endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate:\n1. User role (should require Editor/Admin/Owner)\n2. Content ownership (should verify the draft belongs to the user)\n\nThis allows users with \"Visitor\" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.\n\n### PoC\n - **User A:** Editor role (example username: `dummy04`)\n - **User B:** Visitor role (example username: `dummy01`)\n\n**Reproduction Steps:**\n\n**Step 1 - Create draft as Editor:**\n\n1. Login as User A (Editor role)\n2. Navigate to: `http://localhost:4321/dashboard/content-management`\n3. Create new content (it will stay as draft)\n4. After saving, note the UUID in the URL:\n````\n http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\n````\n Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148`\n\n**Step 2 - Access draft as Visitor:**\n\n1. Login as Visitor and get auth_session cookie\n```\ncurl -X POST \"http://127.0.0.1:4321/studiocms_api/auth/login\" -F \u0027username=dummy01\u0027 -F \u0027password=dummy01pass$\u0027\n```\n\u003cimg width=\"1128\" height=\"376\" alt=\"01\" src=\"https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1\" /\u003e\n\n2. Proof of Visitor permission\n\u003cimg width=\"1899\" height=\"450\" alt=\"02\" src=\"https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc\" /\u003e\n\n3. Access Editor\u0027s draft using the UUID\n```\ncurl \"http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\" -H \"Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q\" -v\n```\n\n**Result:** Returns full HTML page with draft content (200 OK)\n\n### Impact\n**Impact Scenarios:**\n\n1. **Information Disclosure:**\n - Visitor users can read unpublished drafts containing sensitive information\n - Drafts may contain confidential business information, unreleased announcements, or proprietary content\n - Competitive intelligence could be gathered from draft content\n\n2. **Privacy Violation:**\n - Personal notes, work-in-progress content, or internal communications in drafts exposed\n - Violation of content creator privacy expectations\n\n3. **Business Impact:**\n - Premature disclosure of marketing campaigns, product launches, or announcements\n - Loss of competitive advantage if draft strategies are exposed\n - Potential compliance issues if drafts contain regulated information\n\n4. **Complete RBAC Bypass:**\n - The entire role-based access control system for draft content is bypassed\n - \"Visitor\" role becomes equivalent to \"Editor\" for read access to drafts\n - Undermines the trust model of multi-user content management",
"id": "GHSA-8cw6-53m5-4932",
"modified": "2026-01-29T03:43:54Z",
"published": "2026-01-27T22:13:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24134"
},
{
"type": "WEB",
"url": "https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad"
},
{
"type": "PACKAGE",
"url": "https://github.com/withstudiocms/studiocms"
},
{
"type": "WEB",
"url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "StudioCMS has Authorization Bypass Through User-Controlled Key"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.