CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5559 vulnerabilities reference this CWE, most recent first.
GHSA-4535-JC6H-8QX3
Vulnerability from github – Published: 2026-05-29 21:31 – Updated: 2026-05-29 21:31In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
{
"affected": [],
"aliases": [
"CVE-2026-49369"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T19:16:26Z",
"severity": "MODERATE"
},
"details": "In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages",
"id": "GHSA-4535-jc6h-8qx3",
"modified": "2026-05-29T21:31:22Z",
"published": "2026-05-29T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49369"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4549-5M2C-669V
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin.
{
"affected": [],
"aliases": [
"CVE-2022-28718"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T07:15:00Z",
"severity": "MODERATE"
},
"details": "Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin.",
"id": "GHSA-4549-5m2c-669v",
"modified": "2022-07-13T00:01:53Z",
"published": "2022-07-05T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28718"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2022/007429.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN73897863/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4576-PGH2-G34J
Vulnerability from github – Published: 2024-02-13 17:01 – Updated: 2024-02-13 21:57The existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the RedirectResponse from the $this->redirect() function was never handled.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "derhansen/sf_event_mgt"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24751"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-13T17:01:16Z",
"nvd_published_at": "2024-02-13T19:15:10Z",
"severity": "MODERATE"
},
"details": "The existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this-\u003eredirect()` function was never handled. ",
"id": "GHSA-4576-pgh2-g34j",
"modified": "2024-02-13T21:57:18Z",
"published": "2024-02-13T17:01:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24751"
},
{
"type": "WEB",
"url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/derhansen/sf_event_mgt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "derhansen/sf_event_mgt vulnerable to Broken Access Control in Backend Module "
}
GHSA-4578-6GJH-F2JM
Vulnerability from github – Published: 2025-06-20 15:30 – Updated: 2025-06-20 18:08Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250520060012-d0380305ef7a"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250520060012-d0380305ef7a"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.5.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.11.15"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.8.0"
},
{
"fixed": "10.8.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"10.8.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.7.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.7.0"
},
{
"fixed": "10.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.6.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.6.0"
},
{
"fixed": "10.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3228"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-20T18:08:27Z",
"nvd_published_at": "2025-06-20T15:15:20Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.5.x \u003c= 10.5.5, 9.11.x \u003c= 9.11.15, 10.8.x \u003c= 10.8.0, 10.7.x \u003c= 10.7.2, 10.6.x \u003c= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.",
"id": "GHSA-4578-6gjh-f2jm",
"modified": "2025-06-20T18:08:28Z",
"published": "2025-06-20T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3228"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost allows an unauthorized Guest user access to Playbook"
}
GHSA-459H-QWRJ-J9GC
Vulnerability from github – Published: 2024-07-03 18:48 – Updated: 2024-08-09 21:31The allows any authenticated user to join a private group due to a missing authorization check on a function
{
"affected": [],
"aliases": [
"CVE-2024-2231"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-03T06:15:03Z",
"severity": "MODERATE"
},
"details": "The allows any authenticated user to join a private group due to a missing authorization check on a function",
"id": "GHSA-459h-qwrj-j9gc",
"modified": "2024-08-09T21:31:35Z",
"published": "2024-07-03T18:48:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2231"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/119d2d93-3b71-4ce9-b385-4e6f57b162cb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45FW-QRX2-RJ7M
Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2022-05-24 17:23In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The ._pth file (e.g., the python._pth file) is not affected.
{
"affected": [],
"aliases": [
"CVE-2020-15801"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-17T03:15:00Z",
"severity": "HIGH"
},
"details": "In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The \u003cexecutable-name\u003e._pth file (e.g., the python._pth file) is not affected.",
"id": "GHSA-45fw-qrx2-rj7m",
"modified": "2022-05-24T17:23:51Z",
"published": "2022-05-24T17:23:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15801"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/21495"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue41304"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200731-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45GF-XJ43-RFVR
Vulnerability from github – Published: 2023-04-11 21:31 – Updated: 2023-04-11 21:31Windows Lock Screen Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-28270"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Lock Screen Security Feature Bypass Vulnerability",
"id": "GHSA-45gf-xj43-rfvr",
"modified": "2023-04-11T21:31:00Z",
"published": "2023-04-11T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28270"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45M8-CPM2-3V65
Vulnerability from github – Published: 2026-05-08 19:43 – Updated: 2026-05-15 23:52Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Affected Component
Socket.IO session state and role-check callsites:
- backend/open_webui/socket/main.py (lines 330-351, connect handler — role snapshotted into SESSION_POOL)
- backend/open_webui/socket/main.py (lines 393-398, heartbeat handler — does not refresh role)
- backend/open_webui/socket/main.py (line 538, ydoc:document:join — uses cached role for admin check)
- backend/open_webui/socket/main.py (line 611, document_save_handler — uses cached role for admin check)
- backend/open_webui/routers/users.py (lines 557-633, role update — does not invalidate SESSION_POOL)
- backend/open_webui/routers/users.py (line 641, user delete — does not invalidate SESSION_POOL)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.
Description
When a user connects via Socket.IO, the connect handler authenticates them via JWT and stores their user record (including role) in the in-memory SESSION_POOL dictionary keyed by session ID. The heartbeat handler keeps the session alive indefinitely but only refreshes the last_seen_at timestamp — never the role.
Role checks in the Yjs collaborative document handlers (ydoc:document:join, document_save_handler) consult the cached SESSION_POOL role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).
HTTP endpoints are not affected — get_current_user at utils/auth.py refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.
# socket/main.py:330-351 — role snapshotted at connect time
async def connect(sid, environ, auth):
user = None
if auth and 'token' in auth:
data = decode_token(auth['token'])
if data is not None and 'id' in data:
user = Users.get_user_by_id(data['id'])
if user:
SESSION_POOL[sid] = {
'id': user.id,
'role': user.role, # ← snapshotted, never refreshed
...
}
# socket/main.py:393-398 — heartbeat refreshes last_seen_at only
async def heartbeat(sid, data):
user = SESSION_POOL.get(sid)
if user:
SESSION_POOL[sid] = {**user, 'last_seen_at': int(time.time())}
# role is carried forward unchanged
# socket/main.py:538 — admin check against cached role
if user.get('role') != 'admin' and not has_access(user_id, 'note', note_id, 'read', db=db):
return
Attack Scenario
- User B is an admin and has an active browser session with a live Socket.IO connection.
SESSION_POOL[sid]recordsrole='admin'. - Admin A demotes User B to a regular user via
POST /api/v1/users/{B_id}/update. The DBuser.rolebecomes'user'. - No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.
- User B's client continues sending
heartbeatevents every few seconds; these are accepted and only refreshlast_seen_at. - User B emits
ydoc:document:joinwithdocument_id = 'note:<victim_note_id>'for any note they do not own. - The handler at line 538 evaluates
user.get('role') != 'admin'— returnsFalsebecauseSESSION_POOLstill holds the staleadminrole. Access check is bypassed, User B joins the document room, receives full document state and live updates. - User B emits
ydoc:document:updatefor the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim's note viaNotes.update_note_by_id.
The same bypass occurs if the user is deleted entirely (delete_user_by_id) — the deleted user retains admin privileges on their live socket until disconnection.
Impact
- Read access to any user's notes after admin privileges have been revoked
- Write access (content injection, overwrite) to any user's notes under the same conditions
- The stale privilege is bounded only by the attacker's willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely
- Official admin demotion or user deletion gives a false sense of security — HTTP access is correctly revoked, but real-time collaborative access silently continues
Preconditions
- Attacker must have an active Socket.IO connection established while they held admin role
- Attacker must retain the Socket.IO session after demotion/deletion (trivial — just don't close the browser)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.12"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44553"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:43:49Z",
"nvd_published_at": "2026-05-15T20:16:46Z",
"severity": "HIGH"
},
"details": "# Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access\n\n## Affected Component\n\nSocket.IO session state and role-check callsites:\n- `backend/open_webui/socket/main.py` (lines 330-351, `connect` handler \u2014 role snapshotted into SESSION_POOL)\n- `backend/open_webui/socket/main.py` (lines 393-398, `heartbeat` handler \u2014 does not refresh role)\n- `backend/open_webui/socket/main.py` (line 538, `ydoc:document:join` \u2014 uses cached role for admin check)\n- `backend/open_webui/socket/main.py` (line 611, `document_save_handler` \u2014 uses cached role for admin check)\n- `backend/open_webui/routers/users.py` (lines 557-633, role update \u2014 does not invalidate SESSION_POOL)\n- `backend/open_webui/routers/users.py` (line 641, user delete \u2014 does not invalidate SESSION_POOL)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.\n\n## Description\n\nWhen a user connects via Socket.IO, the `connect` handler authenticates them via JWT and stores their user record (including `role`) in the in-memory `SESSION_POOL` dictionary keyed by session ID. The `heartbeat` handler keeps the session alive indefinitely but only refreshes the `last_seen_at` timestamp \u2014 never the role.\n\nRole checks in the Yjs collaborative document handlers (`ydoc:document:join`, `document_save_handler`) consult the cached `SESSION_POOL` role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate `SESSION_POOL` to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).\n\nHTTP endpoints are not affected \u2014 `get_current_user` at [utils/auth.py](backend/open_webui/utils/auth.py) refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.\n\n```python\n# socket/main.py:330-351 \u2014 role snapshotted at connect time\nasync def connect(sid, environ, auth):\n user = None\n if auth and \u0027token\u0027 in auth:\n data = decode_token(auth[\u0027token\u0027])\n if data is not None and \u0027id\u0027 in data:\n user = Users.get_user_by_id(data[\u0027id\u0027])\n if user:\n SESSION_POOL[sid] = {\n \u0027id\u0027: user.id,\n \u0027role\u0027: user.role, # \u2190 snapshotted, never refreshed\n ...\n }\n\n# socket/main.py:393-398 \u2014 heartbeat refreshes last_seen_at only\nasync def heartbeat(sid, data):\n user = SESSION_POOL.get(sid)\n if user:\n SESSION_POOL[sid] = {**user, \u0027last_seen_at\u0027: int(time.time())}\n # role is carried forward unchanged\n\n# socket/main.py:538 \u2014 admin check against cached role\nif user.get(\u0027role\u0027) != \u0027admin\u0027 and not has_access(user_id, \u0027note\u0027, note_id, \u0027read\u0027, db=db):\n return\n```\n\n## Attack Scenario\n\n1. User B is an admin and has an active browser session with a live Socket.IO connection. `SESSION_POOL[sid]` records `role=\u0027admin\u0027`.\n2. Admin A demotes User B to a regular user via `POST /api/v1/users/{B_id}/update`. The DB `user.role` becomes `\u0027user\u0027`.\n3. No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.\n4. User B\u0027s client continues sending `heartbeat` events every few seconds; these are accepted and only refresh `last_seen_at`.\n5. User B emits `ydoc:document:join` with `document_id = \u0027note:\u003cvictim_note_id\u003e\u0027` for any note they do not own.\n6. The handler at line 538 evaluates `user.get(\u0027role\u0027) != \u0027admin\u0027` \u2014 returns `False` because `SESSION_POOL` still holds the stale `admin` role. Access check is bypassed, User B joins the document room, receives full document state and live updates.\n7. User B emits `ydoc:document:update` for the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim\u0027s note via `Notes.update_note_by_id`.\n\nThe same bypass occurs if the user is deleted entirely (`delete_user_by_id`) \u2014 the deleted user retains admin privileges on their live socket until disconnection.\n\n## Impact\n\n- Read access to any user\u0027s notes after admin privileges have been revoked\n- Write access (content injection, overwrite) to any user\u0027s notes under the same conditions\n- The stale privilege is bounded only by the attacker\u0027s willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely\n- Official admin demotion or user deletion gives a false sense of security \u2014 HTTP access is correctly revoked, but real-time collaborative access silently continues\n\n## Preconditions\n\n- Attacker must have an active Socket.IO connection established while they held admin role\n- Attacker must retain the Socket.IO session after demotion/deletion (trivial \u2014 just don\u0027t close the browser)",
"id": "GHSA-45m8-cpm2-3v65",
"modified": "2026-05-15T23:52:21Z",
"published": "2026-05-08T19:43:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44553"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access"
}
GHSA-45RW-4R25-JVG7
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2024-04-23 23:41A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.4"
},
{
"fixed": "3.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.5"
},
{
"fixed": "3.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.6"
},
{
"fixed": "3.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-3848"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T23:41:57Z",
"nvd_published_at": "2019-03-26T18:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar\u0027s edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)",
"id": "GHSA-45rw-4r25-jvg7",
"modified": "2024-04-23T23:41:57Z",
"published": "2022-05-13T01:05:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3848"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3848"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=384011#p1547743"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle Logged in users could view all calendar events"
}
GHSA-45V2-7387-4MJ3
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.
{
"affected": [],
"aliases": [
"CVE-2024-39871"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T12:15:18Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.",
"id": "GHSA-45v2-7387-4mj3",
"modified": "2024-07-09T12:30:57Z",
"published": "2024-07-09T12:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39871"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.