Common Weakness Enumeration

CWE-940

Allowed

Improper Verification of Source of a Communication Channel

Abstraction: Base · Status: Incomplete

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

92 vulnerabilities reference this CWE, most recent first.

GHSA-C86M-WFX2-QMX9

Vulnerability from github – Published: 2023-08-03 12:31 – Updated: 2024-04-04 06:30
VLAI
Details

In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T11:15:10Z",
    "severity": "HIGH"
  },
  "details": "In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.",
  "id": "GHSA-c86m-wfx2-qmx9",
  "modified": "2024-04-04T06:30:56Z",
  "published": "2023-08-03T12:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3663"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2023-022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9Q3-F5V3-G7HW

Vulnerability from github – Published: 2024-06-17 18:31 – Updated: 2024-08-14 15:31
VLAI
Details

TP-LINK TL-7DR5130 v1.0.23 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-17T18:15:17Z",
    "severity": "MODERATE"
  },
  "details": "TP-LINK TL-7DR5130 v1.0.23 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router.",
  "id": "GHSA-c9q3-f5v3-g7hw",
  "modified": "2024-08-14T15:31:11Z",
  "published": "2024-06-17T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ouuan/router-vuln-report/blob/master/nat-rst/tl-7dr5130-nat-rst.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMM3-54F8-PX4J

Vulnerability from github – Published: 2026-06-08 22:59 – Updated: 2026-06-12 19:29
VLAI
Summary
Netty's Default QUIC token handler accepts any client-supplied token
Details

NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry — acceptable), but validateToken() unconditionally return 0. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet — with a spoofed victim source IP — causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.14.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-classes-quic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0.Final"
            },
            {
              "fixed": "4.2.15.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T22:59:43Z",
    "nvd_published_at": "2026-06-12T15:16:26Z",
    "severity": "HIGH"
  },
  "details": "NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry \u2014 acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as \u0027token is valid, ODCID starts at offset 0\u0027, causing the server to call quiche_accept as if the client\u0027s address had been validated by a Retry round-trip. Per RFC 9000 \u00a78.1, a validated address lifts the 3\u00d7 anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet \u2014 with a spoofed victim source IP \u2014 causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3\u00d7 cap. The correct \u0027no token handler\u0027 semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply.",
  "id": "GHSA-cmm3-54f8-px4j",
  "modified": "2026-06-12T19:29:17Z",
  "published": "2026-06-08T22:59:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44894"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netty\u0027s Default QUIC token handler accepts any client-supplied token"
}

GHSA-CXMW-P77Q-WCHG

Vulnerability from github – Published: 2026-03-26 19:30 – Updated: 2026-04-10 19:38
VLAI
Summary
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
Details

Summary

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 8b02ef133275be96d8aac2283100016c8a7f32e5

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.
  • apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.

OpenClaw thanks @cyjhhh for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:30:52Z",
    "nvd_published_at": "2026-04-10T17:17:04Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nAndroid Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `8b02ef133275be96d8aac2283100016c8a7f32e5`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.\n- apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.\n\nOpenClaw thanks @cyjhhh for reporting.",
  "id": "GHSA-cxmw-p77q-wchg",
  "modified": "2026-04-10T19:38:04Z",
  "published": "2026-03-26T19:30:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface"
}

GHSA-FHJC-F2GW-HFVW

Vulnerability from github – Published: 2025-10-15 21:31 – Updated: 2025-10-16 15:30
VLAI
Details

The issue was resolved by not loading remote images This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "The issue was resolved by not loading remote images This issue is fixed in iOS 18.6 and iPadOS 18.6. Forwarding an email could display remote images in Mail in Lockdown Mode.",
  "id": "GHSA-fhjc-f2gw-hfvw",
  "modified": "2025-10-16T15:30:41Z",
  "published": "2025-10-15T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43280"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/124147"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVJR-4PF9-7PJQ

Vulnerability from github – Published: 2024-09-02 21:30 – Updated: 2024-09-17 15:31
VLAI
Details

The registration process of uniFLOW Online (NT-ware product) apps, prior to and including version 2024.1.0, can be compromised when email login is enabled on the tenant. Those tenants utilising email login in combination with Microsoft Safe Links or similar are impacted. This vulnerability may allow the attacker to register themselves against a genuine user in the system and allow malicious users with similar access and capabilities via the app to the existing genuine user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-02T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "The registration process of uniFLOW Online (NT-ware product) apps, prior to and including version 2024.1.0, can be compromised when email login is enabled on the tenant. Those tenants utilising email login in combination with Microsoft Safe Links or similar are impacted. This vulnerability may allow the attacker to register themselves against a genuine user in the system and allow malicious users with similar access and capabilities via the app to the existing genuine user.",
  "id": "GHSA-fvjr-4pf9-7pjq",
  "modified": "2024-09-17T15:31:23Z",
  "published": "2024-09-02T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1621"
    },
    {
      "type": "WEB",
      "url": "https://ntware.atlassian.net/wiki/spaces/SA/pages/12113215492/2024+Security+Advisory+Device+registration+susceptible+to+compromise"
    },
    {
      "type": "WEB",
      "url": "https://www.canon-europe.com/psirt/advisory-information"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FXVF-JCP9-CH47

Vulnerability from github – Published: 2024-06-17 18:31 – Updated: 2024-07-03 18:45
VLAI
Details

TP-LINK TL-7DR5130 v1.0.23 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-17T18:15:17Z",
    "severity": "MODERATE"
  },
  "details": "TP-LINK TL-7DR5130 v1.0.23 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages.",
  "id": "GHSA-fxvf-jcp9-ch47",
  "modified": "2024-07-03T18:45:42Z",
  "published": "2024-06-17T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ouuan/router-vuln-report/blob/master/icmp-redirect/tl-7dr5130-redirect.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3V5-CGPF-RR2H

Vulnerability from github – Published: 2025-10-20 09:30 – Updated: 2025-10-23 00:30
VLAI
Details

Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-20T08:15:33Z",
    "severity": "CRITICAL"
  },
  "details": "Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets.",
  "id": "GHSA-g3v5-cgpf-rr2h",
  "modified": "2025-10-23T00:30:33Z",
  "published": "2025-10-20T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61932"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN86318557"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61932"
    },
    {
      "type": "WEB",
      "url": "https://www.motex.co.jp/news/notice/2025/release251020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G5QX-H5F3-MP2F

Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15
VLAI
Summary
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
Details

TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.

Fixed in #7056 by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*").

Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tinacms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-601",
      "CWE-79",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:15:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "TinaCMS registers window message listeners \u2014 the useTina overlay handler, the OAuth authentication popup handler, and the admin\u2194preview iframe GraphQL reducer \u2014 that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.\n\nFixed in [#7056](https://github.com/tinacms/tinacms/pull/7056) by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never \"*\").\n\nNote: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.",
  "id": "GHSA-g5qx-h5f3-mp2f",
  "modified": "2026-06-19T21:15:29Z",
  "published": "2026-06-19T21:15:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/pull/7056"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover"
}

GHSA-G7QW-4P9H-V9VX

Vulnerability from github – Published: 2023-12-15 09:30 – Updated: 2023-12-15 09:30
VLAI
Details

TAIWAN-CA(TWCA) JCICSecurityTool's Registry-related functions have insufficient filtering for special characters. An unauthenticated remote attacker can inject malicious script into a webpage to perform XSS (Stored Cross-Site Scripting) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-79",
      "CWE-940"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-15T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "TAIWAN-CA(TWCA) JCICSecurityTool\u0027s Registry-related functions have insufficient filtering for special characters. An unauthenticated remote attacker can inject malicious script into a webpage to perform XSS (Stored Cross-Site Scripting) attack.",
  "id": "GHSA-g7qw-4p9h-v9vx",
  "modified": "2023-12-15T09:30:18Z",
  "published": "2023-12-15T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48387"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7602-a47a2-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.
  • When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

CAPEC-594: Traffic Injection

An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.

CAPEC-595: Connection Reset

In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.

CAPEC-596: TCP RST Injection

An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.