Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-324F-35V9-JXHH

Vulnerability from github – Published: 2026-07-16 21:30 – Updated: 2026-07-16 21:30
VLAI
Details

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-16T19:16:48Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.",
  "id": "GHSA-324f-35v9-jxhh",
  "modified": "2026-07-16T21:30:36Z",
  "published": "2026-07-16T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47084"
    },
    {
      "type": "WEB",
      "url": "https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cyrusimap.org/imap/download/release-notes/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3254-79Q7-7Q66

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-29T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data.",
  "id": "GHSA-3254-79q7-7q66",
  "modified": "2022-05-24T17:40:35Z",
  "published": "2022-05-24T17:40:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35547"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0016"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3255-G96H-946G

Vulnerability from github – Published: 2025-04-29 18:30 – Updated: 2025-10-14 21:30
VLAI
Details

Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T16:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles.",
  "id": "GHSA-3255-g96h-946g",
  "modified": "2025-10-14T21:30:26Z",
  "published": "2025-04-29T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40619"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-bookgy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3263-V5V9-XQ8Q

Vulnerability from github – Published: 2026-05-18 17:44 – Updated: 2026-06-08 23:51
VLAI
Summary
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
Details

Summary

The row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters.

Details

View filters in Budibase are treated as a security boundary. The search path (packages/server/src/sdk/workspace/rows/search.ts:93-94) explicitly enforces view query filters with the comment: "that could let users find rows they should not be allowed to access."

However, the row action trigger path bypasses this enforcement entirely:

  1. Route (packages/server/src/api/routes/rowAction.ts:55-59): Accepts a sourceId that can be a viewId.

  2. Middleware (packages/server/src/middleware/triggerRowActionAuthorised.ts:24-55): Correctly validates that the user has READ permission on the view and that the row action is enabled for that view. However, at line 55 it sets ctx.params.tableId = tableId where tableId is the underlying table extracted from the viewId — the viewId is discarded.

// triggerRowActionAuthorised.ts:24-26
const tableId = isTableIdOrExternalTableId(sourceId)
  ? sourceId
  : getTableIdFromViewId(sourceId)  // extracts underlying table

// Line 55: viewId context is lost
ctx.params.tableId = tableId
  1. Controller (packages/server/src/api/controllers/rowAction/run.ts:11): Reads only tableId from params — the view context is gone.
const { tableId, actionId } = ctx.params
const { rowId } = ctx.request.body
await sdk.rowActions.run(tableId, actionId, rowId, ctx.user)
  1. SDK (packages/server/src/sdk/workspace/rowActions/crud.ts:254): Fetches the row using sdk.rows.find(tableId, rowId) — directly from the table with no view filter enforcement.
const row = await sdk.rows.find(tableId, rowId)  // No view filter check

The sdk.rows.find function (packages/server/src/sdk/workspace/rows/internal.ts:67-88) fetches the row by ID directly from the database, only validating that row.tableId === tableId. It never checks whether the row matches the view's query filters.

PoC

# Prerequisites:
# 1. Create a table with a "status" column containing rows: "active" and "archived"
# 2. Create a view filtering to status="active", assign it to BASIC role
# 3. Enable a row action for that view
# 4. Note the rowId of an "archived" row (not visible through the view)

# As a BASIC-role user with access only to the filtered view:
# Trigger the row action on a row OUTSIDE the view's filter scope

curl -X POST 'http://localhost:10000/api/tables/<viewId>/actions/<actionId>/trigger' \
  -H 'Cookie: budibase:auth=<basic_user_jwt>' \
  -H 'Content-Type: application/json' \
  -d '{"rowId": "<archived_row_id>"}'

# Expected: 403 or 404 (row not in view scope)
# Actual: 200 {"message": "Row action triggered."}
# The automation executes with the full archived row data,
# despite view filters excluding it from the user's access.

Impact

A user with BASIC role access to a filtered view can execute row actions (automations) on any row in the underlying table, including rows hidden by the view's security filters. The impact depends on what the triggered automation does:

  • Information disclosure: The automation receives the full row data as input, which may contain fields/values the user should not see.
  • Unauthorized data modification: If the automation modifies rows, the attacker can cause changes to rows outside their authorized scope.
  • Unauthorized actions: If the automation sends notifications, calls webhooks, or performs other side effects, the attacker can trigger these for out-of-scope rows.

This breaks the security model established by view filters, which are explicitly documented as preventing users from accessing rows they should not see.

Recommended Fix

The middleware should pass the viewId to the controller, and the SDK run function should validate the row against the view's filters before executing the automation.

In packages/server/src/middleware/triggerRowActionAuthorised.ts, preserve the sourceId:

// Line 55: preserve the original sourceId for downstream filter validation
ctx.params.tableId = tableId
ctx.params.sourceId = viewId || tableId  // ADD THIS

In packages/server/src/api/controllers/rowAction/run.ts, pass the sourceId:

export async function run(
  ctx: Ctx<RowActionTriggerRequest, RowActionTriggerResponse>
) {
  const { tableId, actionId, sourceId } = ctx.params
  const { rowId } = ctx.request.body

  await sdk.rowActions.run(tableId, actionId, rowId, ctx.user, sourceId)
  ctx.body = { message: "Row action triggered." }
}

In packages/server/src/sdk/workspace/rowActions/crud.ts, validate the row against view filters:

export async function run(
  tableId: any,
  rowActionId: any,
  rowId: string,
  user: User,
  sourceId?: string
) {
  const table = await sdk.tables.getTable(tableId)
  if (!table) {
    throw new HTTPError("Table not found", 404)
  }

  // If triggered from a view, validate the row is within the view's scope
  if (sourceId && isViewId(sourceId)) {
    const result = await sdk.rows.search({
      viewId: sourceId,
      query: { equal: { _id: rowId } },
      limit: 1,
    })
    if (!result.rows.length) {
      throw new HTTPError("Row not found in view scope", 403)
    }
  }

  const { automationId } = await get(tableId, rowActionId)
  const automation = await sdk.automations.get(automationId)
  const row = await sdk.rows.find(tableId, rowId)
  // ... rest unchanged
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "budibase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.38.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:44:22Z",
    "nvd_published_at": "2026-05-27T18:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe row action trigger endpoint (`POST /api/tables/:sourceId/actions/:actionId/trigger`) fails to validate that the user-supplied `rowId` is within the scope of the view\u0027s row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view\u0027s security filters.\n\n## Details\n\nView filters in Budibase are treated as a security boundary. The search path (`packages/server/src/sdk/workspace/rows/search.ts:93-94`) explicitly enforces view query filters with the comment: *\"that could let users find rows they should not be allowed to access.\"*\n\nHowever, the row action trigger path bypasses this enforcement entirely:\n\n1. **Route** (`packages/server/src/api/routes/rowAction.ts:55-59`): Accepts a `sourceId` that can be a viewId.\n\n2. **Middleware** (`packages/server/src/middleware/triggerRowActionAuthorised.ts:24-55`): Correctly validates that the user has READ permission on the view and that the row action is enabled for that view. However, at line 55 it sets `ctx.params.tableId = tableId` where `tableId` is the **underlying table** extracted from the viewId \u2014 the viewId is discarded.\n\n```typescript\n// triggerRowActionAuthorised.ts:24-26\nconst tableId = isTableIdOrExternalTableId(sourceId)\n  ? sourceId\n  : getTableIdFromViewId(sourceId)  // extracts underlying table\n\n// Line 55: viewId context is lost\nctx.params.tableId = tableId\n```\n\n3. **Controller** (`packages/server/src/api/controllers/rowAction/run.ts:11`): Reads only `tableId` from params \u2014 the view context is gone.\n\n```typescript\nconst { tableId, actionId } = ctx.params\nconst { rowId } = ctx.request.body\nawait sdk.rowActions.run(tableId, actionId, rowId, ctx.user)\n```\n\n4. **SDK** (`packages/server/src/sdk/workspace/rowActions/crud.ts:254`): Fetches the row using `sdk.rows.find(tableId, rowId)` \u2014 directly from the table with no view filter enforcement.\n\n```typescript\nconst row = await sdk.rows.find(tableId, rowId)  // No view filter check\n```\n\nThe `sdk.rows.find` function (`packages/server/src/sdk/workspace/rows/internal.ts:67-88`) fetches the row by ID directly from the database, only validating that `row.tableId === tableId`. It never checks whether the row matches the view\u0027s query filters.\n\n## PoC\n\n```bash\n# Prerequisites:\n# 1. Create a table with a \"status\" column containing rows: \"active\" and \"archived\"\n# 2. Create a view filtering to status=\"active\", assign it to BASIC role\n# 3. Enable a row action for that view\n# 4. Note the rowId of an \"archived\" row (not visible through the view)\n\n# As a BASIC-role user with access only to the filtered view:\n# Trigger the row action on a row OUTSIDE the view\u0027s filter scope\n\ncurl -X POST \u0027http://localhost:10000/api/tables/\u003cviewId\u003e/actions/\u003cactionId\u003e/trigger\u0027 \\\n  -H \u0027Cookie: budibase:auth=\u003cbasic_user_jwt\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"rowId\": \"\u003carchived_row_id\u003e\"}\u0027\n\n# Expected: 403 or 404 (row not in view scope)\n# Actual: 200 {\"message\": \"Row action triggered.\"}\n# The automation executes with the full archived row data,\n# despite view filters excluding it from the user\u0027s access.\n```\n\n## Impact\n\nA user with BASIC role access to a filtered view can execute row actions (automations) on **any row** in the underlying table, including rows hidden by the view\u0027s security filters. The impact depends on what the triggered automation does:\n\n- **Information disclosure**: The automation receives the full row data as input, which may contain fields/values the user should not see.\n- **Unauthorized data modification**: If the automation modifies rows, the attacker can cause changes to rows outside their authorized scope.\n- **Unauthorized actions**: If the automation sends notifications, calls webhooks, or performs other side effects, the attacker can trigger these for out-of-scope rows.\n\nThis breaks the security model established by view filters, which are explicitly documented as preventing users from accessing rows they should not see.\n\n## Recommended Fix\n\nThe middleware should pass the `viewId` to the controller, and the SDK `run` function should validate the row against the view\u0027s filters before executing the automation.\n\nIn `packages/server/src/middleware/triggerRowActionAuthorised.ts`, preserve the sourceId:\n\n```typescript\n// Line 55: preserve the original sourceId for downstream filter validation\nctx.params.tableId = tableId\nctx.params.sourceId = viewId || tableId  // ADD THIS\n```\n\nIn `packages/server/src/api/controllers/rowAction/run.ts`, pass the sourceId:\n\n```typescript\nexport async function run(\n  ctx: Ctx\u003cRowActionTriggerRequest, RowActionTriggerResponse\u003e\n) {\n  const { tableId, actionId, sourceId } = ctx.params\n  const { rowId } = ctx.request.body\n\n  await sdk.rowActions.run(tableId, actionId, rowId, ctx.user, sourceId)\n  ctx.body = { message: \"Row action triggered.\" }\n}\n```\n\nIn `packages/server/src/sdk/workspace/rowActions/crud.ts`, validate the row against view filters:\n\n```typescript\nexport async function run(\n  tableId: any,\n  rowActionId: any,\n  rowId: string,\n  user: User,\n  sourceId?: string\n) {\n  const table = await sdk.tables.getTable(tableId)\n  if (!table) {\n    throw new HTTPError(\"Table not found\", 404)\n  }\n\n  // If triggered from a view, validate the row is within the view\u0027s scope\n  if (sourceId \u0026\u0026 isViewId(sourceId)) {\n    const result = await sdk.rows.search({\n      viewId: sourceId,\n      query: { equal: { _id: rowId } },\n      limit: 1,\n    })\n    if (!result.rows.length) {\n      throw new HTTPError(\"Row not found in view scope\", 403)\n    }\n  }\n\n  const { automationId } = await get(tableId, rowActionId)\n  const automation = await sdk.automations.get(automationId)\n  const row = await sdk.rows.find(tableId, rowId)\n  // ... rest unchanged\n}\n```",
  "id": "GHSA-3263-v5v9-xq8q",
  "modified": "2026-06-08T23:51:45Z",
  "published": "2026-05-18T17:44:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-3263-v5v9-xq8q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45718"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.38.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows"
}

GHSA-3297-944X-J7X7

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-11-02 00:42
VLAI
Summary
Incorrect Authorization in Jenkins Core
Details

Jenkins before versions before 2.44 are vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-2611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T00:42:19Z",
    "nvd_published_at": "2018-05-08T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins before versions before 2.44 are vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.",
  "id": "GHSA-3297-944x-j7x7",
  "modified": "2022-11-02T00:42:19Z",
  "published": "2022-05-13T01:16:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2017-02-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95956"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Jenkins Core"
}

GHSA-329P-RHMW-5HXX

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC).  Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).",
  "id": "GHSA-329p-rhmw-5hxx",
  "modified": "2025-01-21T21:30:55Z",
  "published": "2025-01-21T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21517"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32C7-MV5C-M5RR

Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.",
  "id": "GHSA-32c7-mv5c-m5rr",
  "modified": "2022-07-13T00:01:39Z",
  "published": "2021-12-14T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39934"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1360744"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39934.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/342823"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32FR-79CM-96P3

Vulnerability from github – Published: 2022-05-14 02:22 – Updated: 2022-05-14 02:22
VLAI
Details

Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4178"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-07-13T01:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.",
  "id": "GHSA-32fr-79cm-96p3",
  "modified": "2022-05-14T02:22:51Z",
  "published": "2022-05-14T02:22:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4178"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:1423"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-093"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb16-25.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91723"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32MF-57H2-64X9

Vulnerability from github – Published: 2025-07-14 22:03 – Updated: 2025-07-15 00:35
VLAI
Summary
XWiki Rendering is vulnerable to RCE attacks when processing nested macros
Details

Impact

The default macro content parser didn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this:

{{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}}

This vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2.

Patches

This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Resources

  • https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d
  • https://jira.xwiki.org/browse/XRENDERING-689
  • https://jira.xwiki.org/browse/XWIKI-20375

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by René de Sain @renniepak.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2-milestone-1"
            },
            {
              "fixed": "13.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T22:03:06Z",
    "nvd_published_at": "2025-07-15T00:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe default macro content parser didn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The [cache](https://extensions.xwiki.org/xwiki/bin/view/Extension/Cache%20Macro) and [chart](https://extensions.xwiki.org/xwiki/bin/view/Extension/Chart%20Macro) macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this:\n\n```\n{{cache}}{{groovy}}println(\"Hello from Groovy!\"){{/groovy}}{{/cache}}\n```\n\nThis vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2.\n\n### Patches\nThis has been patched in XWiki 13.10.11, 14.4.7 and 14.10.\n\n### Workarounds\nTo avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.\n\n### Resources\n* https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d\n* https://jira.xwiki.org/browse/XRENDERING-689\n* https://jira.xwiki.org/browse/XWIKI-20375\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability has been reported on Intigriti by Ren\u00e9 de Sain @renniepak.",
  "id": "GHSA-32mf-57h2-64x9",
  "modified": "2025-07-15T00:35:24Z",
  "published": "2025-07-14T22:03:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-689"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Rendering is vulnerable to RCE attacks when processing nested macros"
}

GHSA-32P4-GM2C-WMCH

Vulnerability from github – Published: 2024-11-06 12:31 – Updated: 2025-11-04 16:53
VLAI
Summary
ansible-core Incorrect Authorization vulnerability
Details

A flaw was found in Ansible. The ansible-core user module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.18rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.15.0b1"
            },
            {
              "fixed": "2.15.13rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.16.0b1"
            },
            {
              "fixed": "2.16.13rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.17.0b1"
            },
            {
              "fixed": "2.17.6rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0b1"
            },
            {
              "fixed": "2.18.0rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-06T15:37:19Z",
    "nvd_published_at": "2024-11-06T10:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user\u0027s home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.",
  "id": "GHSA-32p4-gm2c-wmch",
  "modified": "2025-11-04T16:53:27Z",
  "published": "2024-11-06T12:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9902"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/03794735d370db98a5ec2ad514fab2b0dd22d6be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/03daf774d0d80fb7235910ed1c2b4fbcaebdfe65"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/3b6de811abea0a811e03e3029222a7e459922892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/9d7312f695639e804d2caeb1d0f51c716a9ac7dd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/f7be90626da3035c697623dcf9c90b7a0bc91c92"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:10762"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:8969"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:9894"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:1861"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9902"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318271"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ansible-core Incorrect Authorization vulnerability"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.