CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
GHSA-VRGC-533G-V7R4
Vulnerability from github – Published: 2022-06-07 00:00 – Updated: 2022-06-14 00:00Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured
{
"affected": [],
"aliases": [
"CVE-2022-1936"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-06T17:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured",
"id": "GHSA-vrgc-533g-v7r4",
"modified": "2022-06-14T00:00:28Z",
"published": "2022-06-07T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1936"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1936.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/363638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRMH-5MMX-HJWX
Vulnerability from github – Published: 2026-06-10 13:39 – Updated: 2026-06-26 21:29Private services (EnableShowInService: false) are enumerable via per-server endpoints, leaking name and timing data
CWE: CWE-285 (Improper Authorization) via CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-863 (Incorrect Authorization — inconsistent gating across data-reader paths)
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N → 5.3 (Medium)
Summary
The EnableShowInService flag on a Service is meant to gate that service's visibility from the public dashboard. The main service-listing endpoint (GET /api/v1/service → showService) correctly filters services with EnableShowInService: false via ServiceSentinel.CopyStats() (service/singleton/servicesentinel.go:421-438). However, two adjacent reader endpoints retrieve service objects through code paths that do not honor the same flag:
GET /api/v1/server/:id/service(listServerServices) iteratesServiceSentinel.GetSortedList()(which returns every service regardless of visibility) and emits service ID, name, and timing data for any service monitoring the queried server.GET /api/v1/service/:id/history(getServiceHistory) callsServiceSentinel.Get(serviceID)directly and emits the service name (and aggregated per-server stats for servers the viewer can see).
Both endpoints are mounted on the optionalAuth group, so an unauthenticated visitor can enumerate hidden services as long as they can guess a public server ID (linear scan over a small numeric ID space) or a service ID (likewise). The service owner's intent — "hide this from the public" via EnableShowInService: false — is silently bypassed.
Affected
- nezha
masterat HEAD636f4a99e6c3d8d75f17fdf7ad55d4ee0f73f1c0(the audit checkout) - All recent 2.x releases that share this code path (post the
EnableShowInServicefilter introduction atCopyStats)
Vulnerability details
[A] — single-source-of-truth filter exists at the listing site
service/singleton/servicesentinel.go:421-438:
func (ss *ServiceSentinel) CopyStats() map[uint64]model.ServiceResponseItem {
var stats map[uint64]*serviceResponseItem
copier.Copy(&stats, ss.LoadStats())
sri := make(map[uint64]model.ServiceResponseItem)
for k, service := range stats {
if !service.service.EnableShowInService { // [A] filter here
delete(stats, k)
continue
}
service.ServiceName = service.service.Name
sri[k] = service.ServiceResponseItem
}
return sri
}
CopyStats() is the only reader that respects EnableShowInService. Get() and GetSortedList() immediately below it return the raw services with no such filter:
func (ss *ServiceSentinel) Get(id uint64) (s *model.Service, ok bool) {
ss.servicesLock.RLock(); defer ss.servicesLock.RUnlock()
s, ok = ss.services[id]
return // [A'] no EnableShowInService check
}
[B] — listServerServices iterates GetSortedList() and emits hidden services
cmd/dashboard/controller/service.go:258-340 (GET /api/v1/server/:id/service):
func listServerServices(c *gin.Context) ([]*model.ServiceInfos, error) {
// ... server existence + userCanViewServer check ...
services := singleton.ServiceSentinelShared.GetSortedList() // [B] all services, no filter
for _, service := range services {
if service.Cover == model.ServiceCoverAll {
if service.SkipServers[serverID] { continue }
} else {
if !service.SkipServers[serverID] { continue }
}
// ... fetch history ...
infos := &model.ServiceInfos{
ServiceID: service.ID,
ServerID: serverID,
ServiceName: service.Name, // [B'] leaked
ServerName: server.Name,
// ... timing data ...
}
result = append(result, infos)
}
return result, nil
}
The DB-fallback path at queryServerServicesFromDB (service.go:340-) has the same structure: iterates services (the same GetSortedList() output) and emits ServiceName for any service monitoring serverID.
[C] — getServiceHistory returns the service name for any ID
cmd/dashboard/controller/service.go:126-180 (GET /api/v1/service/:id/history):
func getServiceHistory(c *gin.Context) (*model.ServiceHistoryResponse, error) {
serviceID, _ := strconv.ParseUint(c.Param("id"), 10, 64)
service, ok := singleton.ServiceSentinelShared.Get(serviceID) // [C] no filter
if !ok || service == nil {
return nil, singleton.Localizer.ErrorT("service not found")
}
// period restriction for guests (1d only) — but the service exists,
// and ServiceName is set unconditionally:
response := &model.ServiceHistoryResponse{
ServiceID: serviceID,
ServiceName: service.Name, // [C'] leaked
Servers: make([]model.ServerServiceStats, 0),
}
// ... per-server data is filtered via userCanViewServer — that part is correct ...
return response, nil
}
The per-server data inside the response IS correctly filtered via userCanViewServer. The service NAME is not.
The mismatch
[A] (CopyStats) gates by EnableShowInService because that's the listing endpoint's contract. [A'] (Get) / GetSortedList() return the raw data because they're "internal" accessors. But [B] and [C] are public-reachable endpoints that use those raw accessors and emit identifying information about services the owner marked as private. The visibility flag exists; it just isn't enforced at every reader of the same data.
A correct guard would either:
- Move the EnableShowInService filter into Get() / GetSortedList() themselves, gated by "caller is admin or service owner"
- Re-check EnableShowInService at every endpoint that emits service identity (name/id/timing)
Proof of concept
Setup (any nezha 2.x deployment):
1. User A (member) creates a Service "Internal-CRM-Health" with EnableShowInService: false, monitoring server S which is public (HideForGuest: false).
2. The service does not appear in GET /api/v1/service (the main listing correctly hides it).
Enumeration as an unauthenticated guest:
# Find services that monitor server S
curl -s 'https://nezha.example/api/v1/server/'"$S_ID"'/service'
# →
# {"success":true,"data":[
# {"service_id":42,"server_id":1,"service_name":"Internal-CRM-Health","server_name":"web-01",
# "display_index":0,"created_at":[...],"avg_delay":[...]}
# ]}
#
# Hidden service is leaked: ID, name, and per-server timing data are all visible.
Confirmation via the second endpoint:
curl -s 'https://nezha.example/api/v1/service/42/history?period=1d'
# →
# {"success":true,"data":{
# "service_id":42,
# "service_name":"Internal-CRM-Health", ← leaked even for direct ID lookup
# "servers":[] ← per-server data correctly hidden
# }}
A scripted enumeration over public server IDs (a low-cardinality numeric space — typical nezha deployments have <1000 servers) trivially recovers the full set of hidden services that monitor any public server, along with their names and timing patterns.
Impact
Direct
Service names in nezha deployments are frequently descriptive of the underlying business asset they monitor: "Production CRM Monitor", "Internal Wiki Health", "Backup-Vault Connectivity", "Stripe Webhook Latency". The leak therefore:
- Discloses the existence and purpose of internal services that the owner explicitly hid from the public dashboard.
- Exposes timing/latency data for the monitored relationship between a private service and any public server it touches — sufficient for a competitor or attacker to infer business activity patterns, outage windows, and probable backend topology.
- Confirms presence/absence of a service ID via the second endpoint — an oracle that lets an unauthenticated visitor enumerate the service-id namespace and learn the deployment's service count and naming convention even when no public servers exist as enumeration vectors.
Indirect / second-order
- Affects multi-tenant public dashboards: nezha is frequently deployed as a public status page with a private "internal" tier in the same dashboard. The bypass collapses the privacy boundary between these tiers.
- Composability with prior advisories: the recent fixes for
GHSA-rxf6-wjh4-jfj6(cross-user trigger-task firing),GHSA-hvv7-hfrh-7gxj(WS server-stream cross-tenant leak), andGHSA-4g6j-g789-rghm(forged monitor results) all address the cross-tenant visibility model. This finding is a sibling that closes one more reader gap in the same model.
Suggested fix
Either of:
- Centralize the filter in
ServiceSentinel— changeGet(id)andGetSortedList()to accept the*gin.Context(or a viewer context) and apply theEnableShowInServicefilter plus an admin-or-owner override. This guarantees every reader inherits the gate:
go
func (ss *ServiceSentinel) GetForViewer(c *gin.Context, id uint64) (*model.Service, bool) {
s, ok := ss.Get(id)
if !ok { return nil, false }
if !s.EnableShowInService && !callerIsAdminOrOwns(c, s) {
return nil, false
}
return s, true
}
- Recheck at every endpoint that emits service identity — add the EnableShowInService + ownership check at the top of
listServerServices,getServiceHistory, and anywhere elseGetSortedList()/Get()results flow to a response. More surgical but easier to miss next time.
Option (1) is symmetric with how userCanViewServer centralizes the server-visibility decision; the same pattern at the service layer would close this class once.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nezhahq/nezha"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49397"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T13:39:24Z",
"nvd_published_at": "2026-06-12T22:16:51Z",
"severity": "MODERATE"
},
"details": "# Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data\n\n**CWE**: CWE-285 (Improper Authorization) via CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-863 (Incorrect Authorization \u2014 inconsistent gating across data-reader paths)\n\n**CVSS v3.1**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` \u2192 5.3 (Medium)\n\n## Summary\n\nThe `EnableShowInService` flag on a `Service` is meant to gate that service\u0027s visibility from the public dashboard. The main service-listing endpoint (`GET /api/v1/service` \u2192 `showService`) correctly filters services with `EnableShowInService: false` via `ServiceSentinel.CopyStats()` (`service/singleton/servicesentinel.go:421-438`). However, two adjacent reader endpoints retrieve service objects through code paths that do not honor the same flag:\n\n- `GET /api/v1/server/:id/service` (`listServerServices`) iterates `ServiceSentinel.GetSortedList()` (which returns every service regardless of visibility) and emits service ID, name, and timing data for any service monitoring the queried server.\n- `GET /api/v1/service/:id/history` (`getServiceHistory`) calls `ServiceSentinel.Get(serviceID)` directly and emits the service name (and aggregated per-server stats for servers the viewer can see).\n\nBoth endpoints are mounted on the `optionalAuth` group, so an unauthenticated visitor can enumerate hidden services as long as they can guess a public server ID (linear scan over a small numeric ID space) or a service ID (likewise). The service owner\u0027s intent \u2014 \"hide this from the public\" via `EnableShowInService: false` \u2014 is silently bypassed.\n\n## Affected\n\n- nezha `master` at HEAD `636f4a99e6c3d8d75f17fdf7ad55d4ee0f73f1c0` (the audit checkout)\n- All recent 2.x releases that share this code path (post the `EnableShowInService` filter introduction at `CopyStats`)\n\n## Vulnerability details\n\n### [A] \u2014 single-source-of-truth filter exists at the listing site\n\n`service/singleton/servicesentinel.go:421-438`:\n\n```go\nfunc (ss *ServiceSentinel) CopyStats() map[uint64]model.ServiceResponseItem {\n var stats map[uint64]*serviceResponseItem\n copier.Copy(\u0026stats, ss.LoadStats())\n\n sri := make(map[uint64]model.ServiceResponseItem)\n for k, service := range stats {\n if !service.service.EnableShowInService { // [A] filter here\n delete(stats, k)\n continue\n }\n service.ServiceName = service.service.Name\n sri[k] = service.ServiceResponseItem\n }\n return sri\n}\n```\n\n`CopyStats()` is the only reader that respects `EnableShowInService`. `Get()` and `GetSortedList()` immediately below it return the raw services with no such filter:\n\n```go\nfunc (ss *ServiceSentinel) Get(id uint64) (s *model.Service, ok bool) {\n ss.servicesLock.RLock(); defer ss.servicesLock.RUnlock()\n s, ok = ss.services[id]\n return // [A\u0027] no EnableShowInService check\n}\n```\n\n### [B] \u2014 `listServerServices` iterates `GetSortedList()` and emits hidden services\n\n`cmd/dashboard/controller/service.go:258-340` (`GET /api/v1/server/:id/service`):\n\n```go\nfunc listServerServices(c *gin.Context) ([]*model.ServiceInfos, error) {\n // ... server existence + userCanViewServer check ...\n services := singleton.ServiceSentinelShared.GetSortedList() // [B] all services, no filter\n\n for _, service := range services {\n if service.Cover == model.ServiceCoverAll {\n if service.SkipServers[serverID] { continue }\n } else {\n if !service.SkipServers[serverID] { continue }\n }\n // ... fetch history ...\n infos := \u0026model.ServiceInfos{\n ServiceID: service.ID,\n ServerID: serverID,\n ServiceName: service.Name, // [B\u0027] leaked\n ServerName: server.Name,\n // ... timing data ...\n }\n result = append(result, infos)\n }\n return result, nil\n}\n```\n\nThe DB-fallback path at `queryServerServicesFromDB` (`service.go:340-`) has the same structure: iterates `services` (the same `GetSortedList()` output) and emits ServiceName for any service monitoring `serverID`.\n\n### [C] \u2014 `getServiceHistory` returns the service name for any ID\n\n`cmd/dashboard/controller/service.go:126-180` (`GET /api/v1/service/:id/history`):\n\n```go\nfunc getServiceHistory(c *gin.Context) (*model.ServiceHistoryResponse, error) {\n serviceID, _ := strconv.ParseUint(c.Param(\"id\"), 10, 64)\n service, ok := singleton.ServiceSentinelShared.Get(serviceID) // [C] no filter\n if !ok || service == nil {\n return nil, singleton.Localizer.ErrorT(\"service not found\")\n }\n // period restriction for guests (1d only) \u2014 but the service exists,\n // and ServiceName is set unconditionally:\n response := \u0026model.ServiceHistoryResponse{\n ServiceID: serviceID,\n ServiceName: service.Name, // [C\u0027] leaked\n Servers: make([]model.ServerServiceStats, 0),\n }\n // ... per-server data is filtered via userCanViewServer \u2014 that part is correct ...\n return response, nil\n}\n```\n\nThe per-server data inside the response IS correctly filtered via `userCanViewServer`. The service NAME is not.\n\n### The mismatch\n\n[A] (`CopyStats`) gates by `EnableShowInService` because that\u0027s the listing endpoint\u0027s contract. [A\u0027] (`Get`) / `GetSortedList()` return the raw data because they\u0027re \"internal\" accessors. But [B] and [C] are public-reachable endpoints that use those raw accessors and emit identifying information about services the owner marked as private. The visibility flag exists; it just isn\u0027t enforced at every reader of the same data.\n\nA correct guard would either:\n- Move the `EnableShowInService` filter into `Get()` / `GetSortedList()` themselves, gated by \"caller is admin or service owner\"\n- Re-check `EnableShowInService` at every endpoint that emits service identity (name/id/timing)\n\n## Proof of concept\n\nSetup (any nezha 2.x deployment):\n1. User A (member) creates a Service \"Internal-CRM-Health\" with `EnableShowInService: false`, monitoring server `S` which is public (`HideForGuest: false`).\n2. The service does not appear in `GET /api/v1/service` (the main listing correctly hides it).\n\nEnumeration as an unauthenticated guest:\n\n```bash\n# Find services that monitor server S\ncurl -s \u0027https://nezha.example/api/v1/server/\u0027\"$S_ID\"\u0027/service\u0027\n# \u2192\n# {\"success\":true,\"data\":[\n# {\"service_id\":42,\"server_id\":1,\"service_name\":\"Internal-CRM-Health\",\"server_name\":\"web-01\",\n# \"display_index\":0,\"created_at\":[...],\"avg_delay\":[...]}\n# ]}\n#\n# Hidden service is leaked: ID, name, and per-server timing data are all visible.\n```\n\nConfirmation via the second endpoint:\n\n```bash\ncurl -s \u0027https://nezha.example/api/v1/service/42/history?period=1d\u0027\n# \u2192\n# {\"success\":true,\"data\":{\n# \"service_id\":42,\n# \"service_name\":\"Internal-CRM-Health\", \u2190 leaked even for direct ID lookup\n# \"servers\":[] \u2190 per-server data correctly hidden\n# }}\n```\n\nA scripted enumeration over public server IDs (a low-cardinality numeric space \u2014 typical nezha deployments have \u003c1000 servers) trivially recovers the full set of hidden services that monitor any public server, along with their names and timing patterns.\n\n## Impact\n\n### Direct\n\nService names in nezha deployments are frequently descriptive of the underlying business asset they monitor: `\"Production CRM Monitor\"`, `\"Internal Wiki Health\"`, `\"Backup-Vault Connectivity\"`, `\"Stripe Webhook Latency\"`. The leak therefore:\n\n- **Discloses the existence and purpose of internal services** that the owner explicitly hid from the public dashboard.\n- **Exposes timing/latency data** for the monitored relationship between a private service and any public server it touches \u2014 sufficient for a competitor or attacker to infer business activity patterns, outage windows, and probable backend topology.\n- **Confirms presence/absence of a service ID** via the second endpoint \u2014 an oracle that lets an unauthenticated visitor enumerate the service-id namespace and learn the deployment\u0027s service count and naming convention even when no public servers exist as enumeration vectors.\n\n### Indirect / second-order\n\n- **Affects multi-tenant public dashboards**: nezha is frequently deployed as a public status page with a private \"internal\" tier in the same dashboard. The bypass collapses the privacy boundary between these tiers.\n- **Composability with prior advisories**: the recent fixes for `GHSA-rxf6-wjh4-jfj6` (cross-user trigger-task firing), `GHSA-hvv7-hfrh-7gxj` (WS server-stream cross-tenant leak), and `GHSA-4g6j-g789-rghm` (forged monitor results) all address the cross-tenant visibility model. This finding is a sibling that closes one more reader gap in the same model.\n\n## Suggested fix\n\nEither of:\n\n1. **Centralize the filter in `ServiceSentinel`** \u2014 change `Get(id)` and `GetSortedList()` to accept the `*gin.Context` (or a viewer context) and apply the `EnableShowInService` filter plus an admin-or-owner override. This guarantees every reader inherits the gate:\n\n ```go\n func (ss *ServiceSentinel) GetForViewer(c *gin.Context, id uint64) (*model.Service, bool) {\n s, ok := ss.Get(id)\n if !ok { return nil, false }\n if !s.EnableShowInService \u0026\u0026 !callerIsAdminOrOwns(c, s) {\n return nil, false\n }\n return s, true\n }\n ```\n\n2. **Recheck at every endpoint that emits service identity** \u2014 add the EnableShowInService + ownership check at the top of `listServerServices`, `getServiceHistory`, and anywhere else `GetSortedList()`/`Get()` results flow to a response. More surgical but easier to miss next time.\n\nOption (1) is symmetric with how `userCanViewServer` centralizes the server-visibility decision; the same pattern at the service layer would close this class once.",
"id": "GHSA-vrmh-5mmx-hjwx",
"modified": "2026-06-26T21:29:08Z",
"published": "2026-06-10T13:39:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-vrmh-5mmx-hjwx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49397"
},
{
"type": "PACKAGE",
"url": "https://github.com/nezhahq/nezha"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nezha\u0027s private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data"
}
GHSA-VRQ2-W7R7-3FP2
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-11-07 23:21Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.2"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.2-p1"
},
{
"fixed": "2.4.2-p2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.3.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7-p1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-36037"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-07T23:21:19Z",
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.",
"id": "GHSA-vrq2-w7r7-3fp2",
"modified": "2025-11-07T23:21:19Z",
"published": "2022-05-24T19:12:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36037"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento is affected by an improper authorization vulnerability"
}
GHSA-VRV5-28J8-RV7X
Vulnerability from github – Published: 2022-02-24 00:00 – Updated: 2022-03-03 00:01Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.
{
"affected": [],
"aliases": [
"CVE-2022-0727"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-23T14:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.",
"id": "GHSA-vrv5-28j8-rv7x",
"modified": "2022-03-03T00:01:03Z",
"published": "2022-02-24T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0727"
},
{
"type": "WEB",
"url": "https://github.com/chocobozzz/peertube/commit/6ea9295b8f5dd7cc254202a79aad61c666cc4259"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d1faa10f-0640-480c-bb52-089adb351e6e"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VV27-WPRX-CXJ7
Vulnerability from github – Published: 2026-03-26 12:30 – Updated: 2026-03-26 12:30Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'.
{
"affected": [],
"aliases": [
"CVE-2026-4263"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T10:16:26Z",
"severity": "MODERATE"
},
"details": "Vulnerability of incorrect authorization in\u00a0HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter\u00a0\n\u0027visitor\u0027 in \u0027/api/v1/webchat/message\u0027.",
"id": "GHSA-vv27-wprx-cxj7",
"modified": "2026-03-26T12:30:29Z",
"published": "2026-03-26T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4263"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VV4W-HR59-HMW6
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2024-04-04 03:04The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.
{
"affected": [],
"aliases": [
"CVE-2021-28373"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-13T21:15:00Z",
"severity": "HIGH"
},
"details": "The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.",
"id": "GHSA-vv4w-hr59-hmw6",
"modified": "2024-04-04T03:04:53Z",
"published": "2022-05-24T17:44:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28373"
},
{
"type": "WEB",
"url": "https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502"
},
{
"type": "WEB",
"url": "https://git.tt-rss.org/fox/tt-rss/commit/4949e1a59059d9e72ba7a98f783cec312c06c6d2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VV6F-F322-W3FX
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible.
{
"affected": [],
"aliases": [
"CVE-2020-3477"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-24T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the CLI parser of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to access files from the flash: filesystem. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain read-only access to files that are located on the flash: filesystem that otherwise might not have been accessible.",
"id": "GHSA-vv6f-f322-w3fx",
"modified": "2022-05-24T17:29:28Z",
"published": "2022-05-24T17:29:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3477"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-disclosure-V4BmJBNF"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VV73-F4GC-GGHX
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.2), SCALANCE XC324-4 EEC (6GK5328-4TS00-2EC2) (All versions < V3.2), SCALANCE XC332 (6GK5332-0GA00-2AC2) (All versions < V3.2), SCALANCE XC416-8 (6GK5424-8TR00-2AC2) (All versions < V3.2), SCALANCE XC424-4 (6GK5428-4TR00-2AC2) (All versions < V3.2), SCALANCE XC432 (6GK5432-0GR00-2AC2) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.2), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions < V3.2), SCALANCE XR302-32 (6GK5334-5TS00-2AR3) (All versions < V3.2), SCALANCE XR302-32 (6GK5334-5TS00-3AR3) (All versions < V3.2), SCALANCE XR302-32 (6GK5334-5TS00-4AR3) (All versions < V3.2), SCALANCE XR322-12 (6GK5334-3TS00-2AR3) (All versions < V3.2), SCALANCE XR322-12 (6GK5334-3TS00-3AR3) (All versions < V3.2), SCALANCE XR322-12 (6GK5334-3TS00-4AR3) (All versions < V3.2), SCALANCE XR326-8 (6GK5334-2TS00-2AR3) (All versions < V3.2), SCALANCE XR326-8 (6GK5334-2TS00-3AR3) (All versions < V3.2), SCALANCE XR326-8 (6GK5334-2TS00-4AR3) (All versions < V3.2), SCALANCE XR326-8 EEC (6GK5334-2TS00-2ER3) (All versions < V3.2), SCALANCE XR502-32 (6GK5534-5TR00-2AR3) (All versions < V3.2), SCALANCE XR502-32 (6GK5534-5TR00-3AR3) (All versions < V3.2), SCALANCE XR502-32 (6GK5534-5TR00-4AR3) (All versions < V3.2), SCALANCE XR522-12 (6GK5534-3TR00-2AR3) (All versions < V3.2), SCALANCE XR522-12 (6GK5534-3TR00-3AR3) (All versions < V3.2), SCALANCE XR522-12 (6GK5534-3TR00-4AR3) (All versions < V3.2), SCALANCE XR526-8 (6GK5534-2TR00-2AR3) (All versions < V3.2), SCALANCE XR526-8 (6GK5534-2TR00-3AR3) (All versions < V3.2), SCALANCE XR526-8 (6GK5534-2TR00-4AR3) (All versions < V3.2), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions < V3.2). An internal session termination functionality in the web interface of affected products contains an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with "guest" role to terminate legitimate users' sessions.
{
"affected": [],
"aliases": [
"CVE-2025-40568"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T16:15:38Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V3.2), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions \u003c V3.2), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions \u003c V3.2), SCALANCE XC324-4 EEC (6GK5328-4TS00-2EC2) (All versions \u003c V3.2), SCALANCE XC332 (6GK5332-0GA00-2AC2) (All versions \u003c V3.2), SCALANCE XC416-8 (6GK5424-8TR00-2AC2) (All versions \u003c V3.2), SCALANCE XC424-4 (6GK5428-4TR00-2AC2) (All versions \u003c V3.2), SCALANCE XC432 (6GK5432-0GR00-2AC2) (All versions \u003c V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions \u003c V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions \u003c V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions \u003c V3.2), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions \u003c V3.2), SCALANCE XR302-32 (6GK5334-5TS00-2AR3) (All versions \u003c V3.2), SCALANCE XR302-32 (6GK5334-5TS00-3AR3) (All versions \u003c V3.2), SCALANCE XR302-32 (6GK5334-5TS00-4AR3) (All versions \u003c V3.2), SCALANCE XR322-12 (6GK5334-3TS00-2AR3) (All versions \u003c V3.2), SCALANCE XR322-12 (6GK5334-3TS00-3AR3) (All versions \u003c V3.2), SCALANCE XR322-12 (6GK5334-3TS00-4AR3) (All versions \u003c V3.2), SCALANCE XR326-8 (6GK5334-2TS00-2AR3) (All versions \u003c V3.2), SCALANCE XR326-8 (6GK5334-2TS00-3AR3) (All versions \u003c V3.2), SCALANCE XR326-8 (6GK5334-2TS00-4AR3) (All versions \u003c V3.2), SCALANCE XR326-8 EEC (6GK5334-2TS00-2ER3) (All versions \u003c V3.2), SCALANCE XR502-32 (6GK5534-5TR00-2AR3) (All versions \u003c V3.2), SCALANCE XR502-32 (6GK5534-5TR00-3AR3) (All versions \u003c V3.2), SCALANCE XR502-32 (6GK5534-5TR00-4AR3) (All versions \u003c V3.2), SCALANCE XR522-12 (6GK5534-3TR00-2AR3) (All versions \u003c V3.2), SCALANCE XR522-12 (6GK5534-3TR00-3AR3) (All versions \u003c V3.2), SCALANCE XR522-12 (6GK5534-3TR00-4AR3) (All versions \u003c V3.2), SCALANCE XR526-8 (6GK5534-2TR00-2AR3) (All versions \u003c V3.2), SCALANCE XR526-8 (6GK5534-2TR00-3AR3) (All versions \u003c V3.2), SCALANCE XR526-8 (6GK5534-2TR00-4AR3) (All versions \u003c V3.2), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions \u003c V3.2), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions \u003c V3.2), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions \u003c V3.2), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions \u003c V3.2), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions \u003c V3.2), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions \u003c V3.2), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions \u003c V3.2), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions \u003c V3.2), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions \u003c V3.2), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions \u003c V3.2). An internal session termination functionality in the web interface of affected products contains an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with \"guest\" role to terminate legitimate users\u0027 sessions.",
"id": "GHSA-vv73-f4gc-gghx",
"modified": "2025-06-10T18:32:25Z",
"published": "2025-06-10T18:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40568"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-693776.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VVG7-8RMQ-92G7
Vulnerability from github – Published: 2025-12-17 20:57 – Updated: 2025-12-17 20:57Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
Affected product and versions
Projects are affected if they meet the following preconditions:
- Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0,
- Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
Resolution
Upgrade Auth0 Wordpress plugin to version 5.5.0 or greater.
Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.4.0"
},
"package": {
"ecosystem": "Packagist",
"name": "auth0/wordpress"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-BETA0"
},
{
"fixed": "5.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-17T20:57:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nProjects are affected if they meet the following preconditions:\n\n- Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0,\n- Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0 Wordpress plugin to version 5.5.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
"id": "GHSA-vvg7-8rmq-92g7",
"modified": "2025-12-17T20:57:09Z",
"published": "2025-12-17T20:57:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7"
},
{
"type": "WEB",
"url": "https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/wordpress"
},
{
"type": "WEB",
"url": "https://github.com/auth0/wordpress/releases/tag/5.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency"
}
GHSA-VVJ5-P4VC-V5Q3
Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.
{
"affected": [],
"aliases": [
"CVE-2026-56152"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T17:16:37Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.",
"id": "GHSA-vvj5-p4vc-v5q3",
"modified": "2026-07-01T18:31:55Z",
"published": "2026-07-01T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56152"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-defend-8-19-13-9-2-7-9-3-2-security-update-esa-2026-46"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.