Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-WX35-29XJ-R29Q

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:06Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.",
  "id": "GHSA-wx35-29xj-r29q",
  "modified": "2026-04-02T21:31:59Z",
  "published": "2024-10-28T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44253"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121564"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121568"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121570"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX5H-WQFQ-V698

Vulnerability from github – Published: 2025-03-11 15:27 – Updated: 2025-03-12 14:40
VLAI
Summary
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
Details

Impact

Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.

Patches

Will be patched in 10.8.9 and 13.7.1

Workarounds

None available.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.8.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Web.Backoffice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.7.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Web.Backoffice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-rc1"
            },
            {
              "fixed": "13.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T15:27:34Z",
    "nvd_published_at": "2025-03-11T16:15:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nVia manipulation of backoffice API URLs it\u0027s possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.\n\n### Patches\nWill be patched in 10.8.9 and 13.7.1\n\n### Workarounds\nNone available.",
  "id": "GHSA-wx5h-wqfq-v698",
  "modified": "2025-03-12T14:40:32Z",
  "published": "2025-03-11T15:27:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27602"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content"
}

GHSA-WXH7-CRXJ-886H

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-10-14 12:00
VLAI
Details

Linear eMerge E3-Series devices allow Privilege Escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-02T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Linear eMerge E3-Series devices allow Privilege Escalation.",
  "id": "GHSA-wxh7-crxj-886h",
  "modified": "2022-10-14T12:00:22Z",
  "published": "2022-05-24T22:00:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7258"
    },
    {
      "type": "WEB",
      "url": "https://applied-risk.com/labs/advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.applied-risk.com/resources/ar-2019-005"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155260/Linear-eMerge-E3-1.00-06-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXP5-9W64-PP68

Vulnerability from github – Published: 2023-08-24 06:30 – Updated: 2024-04-04 07:10
VLAI
Details

A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-489",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-24T06:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in the ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which can be exploited by malicious actors to potentially gain unauthorized access to the product. This could lead to security breaches, data theft, and unauthorized manipulation of sensitive information. The vulnerability is attributed to the presence of an unauthorized service, which could potentially enable unauthorized access to the. device.\n\n",
  "id": "GHSA-wxp5-9w64-pp68",
  "modified": "2024-04-04T07:10:20Z",
  "published": "2023-08-24T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4227"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXQP-JWC9-G39X

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2024-04-23 22:30
VLAI
Summary
Drupal Core Access bypass vulnerability
Details

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.8.0"
            },
            {
              "fixed": "8.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.9.0"
            },
            {
              "fixed": "8.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.8.0"
            },
            {
              "fixed": "8.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.9.0"
            },
            {
              "fixed": "8.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:30:43Z",
    "nvd_published_at": "2021-05-05T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.",
  "id": "GHSA-wxqp-jwc9-g39x",
  "modified": "2024-04-23T22:30:43Z",
  "published": "2022-05-24T17:49:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13665.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13665.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2020-006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal Core Access bypass vulnerability"
}

GHSA-WXV8-VQC5-V4J2

Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-15 00:01
VLAI
Details

A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to insufficient access control in the affected CLI. An attacker could exploit this vulnerability by authenticating as a CEE ConfD CLI user and executing a specific CLI command. A successful exploit could allow an attacker to access privileged containers with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-06T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device. This vulnerability is due to insufficient access control in the affected CLI. An attacker could exploit this vulnerability by authenticating as a CEE ConfD CLI user and executing a specific CLI command. A successful exploit could allow an attacker to access privileged containers with root privileges.",
  "id": "GHSA-wxv8-vqc5-v4j2",
  "modified": "2022-04-15T00:01:05Z",
  "published": "2022-04-07T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20762"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccsmi-prvesc-BQHGe4cm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXVP-5PM4-8849

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01
VLAI
Details

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-11T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.",
  "id": "GHSA-wxvp-5pm4-8849",
  "modified": "2022-07-13T00:01:42Z",
  "published": "2022-05-24T19:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42002"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/ad-manager/release-notes.html#7115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXX5-W9JC-48WX

Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 22:02
VLAI
Summary
Pebble Templates protection mechanism bypass can lead to arbitrary code execution
Details

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.pebbletemplates:pebble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:27:25Z",
    "nvd_published_at": "2022-09-12T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok.",
  "id": "GHSA-wxx5-w9jc-48wx",
  "modified": "2022-09-16T22:02:16Z",
  "published": "2022-09-13T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PebbleTemplates/pebble/issues/625#issuecomment-1282138635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Y4tacker/Web-Security/issues/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pebble Templates protection mechanism bypass can lead to arbitrary code execution"
}

GHSA-X234-X5VQ-CC2V

Vulnerability from github – Published: 2026-04-21 15:00 – Updated: 2026-04-27 16:20
VLAI
Summary
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Details

Summary

A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.

Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.

Details

The application exposes an account-level disable control through the users management API. Login process correctly enforces that control: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31

However, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking user.Status.): https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139

There’s also no token revocation feature, unlike when a password is changed: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51

As a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.

PoC

The issue was validated with version 2.3.3 using the uozi/nginx-ui:sha-c92ec0a docker image.

View the PoC video:

https://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd

Impact

Administrators who rely on "disable user" as an authentication or authorization control can be bypassed.

The disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/0xJacky/Nginx-UI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.10-0.20260314152518-7b66578adb47"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T15:00:44Z",
    "nvd_published_at": "2026-04-20T21:16:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user\u2019s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.\n\nSince tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.\n\n### Details\n\nThe application exposes an account-level disable control through the users management API. Login process correctly enforces that control:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31\n\nHowever, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking `user.Status`.):\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139\n\nThere\u2019s also no token revocation feature, unlike when a password is changed:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51\n\nAs a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.\n\n### PoC\n\nThe issue was validated with version 2.3.3 using the `uozi/nginx-ui:sha-c92ec0a` docker image.\n\nView the PoC video:\n\n\nhttps://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd\n\n\n\n### Impact\n\nAdministrators who rely on \"disable user\" as an authentication or authorization control can be bypassed.\n\nThe disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.",
  "id": "GHSA-x234-x5vq-cc2v",
  "modified": "2026-04-27T16:20:27Z",
  "published": "2026-04-21T15:00:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/commit/7b66578adb47bbec839b621a4666495249379174"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xJacky/nginx-ui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nginx-UI: Disabled users retain full API access through previously issued bearer tokens"
}

GHSA-X24J-87X9-JVV5

Vulnerability from github – Published: 2021-11-03 17:34 – Updated: 2022-08-11 22:06
VLAI
Summary
Publify `guest` role users can self-register even when the admin does not allow it
Details

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow it. This happens due to front-end restriction only.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "publify_core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0.pre1"
            },
            {
              "fixed": "9.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-669",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-03T14:44:37Z",
    "nvd_published_at": "2021-11-02T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. `guest` role users can self-register even when the admin does not allow it. This happens due to front-end restriction only.",
  "id": "GHSA-x24j-87x9-jvv5",
  "modified": "2022-08-11T22:06:27Z",
  "published": "2021-11-03T17:34:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify/commit/3447e0241e921b65f6eb1090453d8ea73e98387e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2021-25973.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Publify `guest` role users can self-register even when the admin does not allow it"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.