Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5966 vulnerabilities reference this CWE, most recent first.

GHSA-CFJQ-28R2-4JV5

Vulnerability from github – Published: 2025-10-29 22:21 – Updated: 2025-11-05 22:14
VLAI
Summary
Zitadel May Bypass Second Authentication Factor
Details

Summary

A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified.

Impact

Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.

Starting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors.

Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled.

Affected Versions

Systems using the session API (v2 beta and v2) directly or via the new login UI in the following versions are affected: - 4.x: 4.0.0 to 4.5.0 (including RC versions) - 3.x: 3.0.0 to 3.4.2 (including RC versions) - 2.x: v2.53.6 to v2.53.9, v2.54.3 to v2.54.10, 2.55.0 to 2.71.17

Patches

The vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring a configured second factor regardless of the login policies requireMFA or requireMFAForLocalUsers configuration.

4.x: Upgrade to >=4.6.0 3.x: Update to >=3.4.3 2.x: Update to >=2.71.18

Workarounds

The recommended solution is to update Zitadel to a patched version.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

This vulnerability was found by zentrust partners GmbH during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann. The full report will be made public after the complete review.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.53.6"
            },
            {
              "last_affected": "2.53.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.54.3"
            },
            {
              "last_affected": "2.54.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.71.17"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.55.0"
            },
            {
              "fixed": "2.71.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20251029091250-b284f8474eed"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-308"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:21:27Z",
    "nvd_published_at": "2025-10-29T19:15:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA vulnerability in Zitadel\u0027s token verification prematurely marked sessions as authenticated when only one factor was verified. \n\n### Impact\n\nZitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens are issued for active sessions, which can be used as Bearer tokens to call the Zitadel API.\n\nStarting from 2.55.0 (see other affected versions below), Zitadel only required multi factor authentication in case the login policy has either enabled `requireMFA` or `requireMFAForLocalUsers`. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors.\n\nBypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled.\n\n### Affected Versions\n\nSystems using the session API (v2 beta and v2) directly or via the new login UI in the following versions are affected:\n- **4.x**: `4.0.0` to `4.5.0` (including RC versions)\n- **3.x**: `3.0.0` to `3.4.2` (including RC versions)\n- **2.x**: `v2.53.6` to `v2.53.9`,  `v2.54.3` to `v2.54.10`, `2.55.0` to `2.71.17`\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by requiring a configured second factor regardless of the login policies `requireMFA` or `requireMFAForLocalUsers` configuration.\n\n4.x: Upgrade to \u003e=[4.6.0](https://github.com/zitadel/zitadel/releases/tag/v4.6.0)\n3.x: Update to \u003e=[3.4.3](https://github.com/zitadel/zitadel/releases/tag/v3.4.3)\n2.x: Update to \u003e=[2.71.18](https://github.com/zitadel/zitadel/releases/tag/v2.71.18)\n\n### Workarounds\n\nThe recommended solution is to update Zitadel to a patched version.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThis vulnerability was found by [zentrust partners GmbH](https://zentrust.partners) during a scheduled penetration test. Thank you to the analysts Martin Tschirsich, Joud Zakharia, Christopher Baumann.\nThe full report will be made public after the complete review.",
  "id": "GHSA-cfjq-28r2-4jv5",
  "modified": "2025-11-05T22:14:13Z",
  "published": "2025-10-29T22:21:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-cfjq-28r2-4jv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/b284f8474eed0cba531905101619e7ae7963156b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zitadel May Bypass Second Authentication Factor"
}

GHSA-CFMJ-7RV7-V356

Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2023-12-21 21:30
VLAI
Details

An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T21:15:15Z",
    "severity": "HIGH"
  },
  "details": "An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.\n",
  "id": "GHSA-cfmj-7rv7-v356",
  "modified": "2023-12-21T21:30:32Z",
  "published": "2023-12-21T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6847"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CFPH-4QQH-W828

Vulnerability from github – Published: 2024-01-03 21:24 – Updated: 2024-01-03 21:24
VLAI
Summary
Arbitrary remote file read in Wrangler dev server
Details

Impact

Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.

Patches

This issue was fixed in wrangler@3.19.0. Wrangler will now only serve files that are part of your bundle, or referenced by your bundle's source maps.

Workarounds

Configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1. This is the default as of wrangler@3.16.0, and removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

  • https://github.com/cloudflare/workers-sdk/pull/4532
  • https://github.com/cloudflare/workers-sdk/pull/4535
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "wrangler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-7079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T21:24:56Z",
    "nvd_published_at": "2023-12-29T12:15:47Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nSending specially crafted HTTP requests and inspector messages to Wrangler\u0027s dev server could result in any file on the user\u0027s computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.\n\n### Patches\nThis issue was fixed in `wrangler@3.19.0`. Wrangler will now only serve files that are part of your bundle, or referenced by your bundle\u0027s source maps.\n\n### Workarounds\nConfigure Wrangler to listen on local interfaces instead with `wrangler dev --ip 127.0.0.1`. This is the [default as of `wrangler@3.16.0`](https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf), and removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.\n\n### References\n- https://github.com/cloudflare/workers-sdk/pull/4532\n- https://github.com/cloudflare/workers-sdk/pull/4535\n",
  "id": "GHSA-cfph-4qqh-w828",
  "modified": "2024-01-03T21:24:56Z",
  "published": "2024-01-03T21:24:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-cfph-4qqh-w828"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/pull/4532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/pull/4535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/commit/29df8e17545bf3926b6d61678b596be809d40c6d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-sdk/commit/311ffbd5064f8301ac6f0311bbe5630897923b93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/workers-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary remote file read in Wrangler dev server"
}

GHSA-CFXC-8F2G-M9VP

Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2022-05-14 03:15
VLAI
Details

A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67") allows unauthenticated attackers to perform arbitrary modification (read, write) to passwords and configurations meanwhile an administrator is logged into the web panel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-23T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer=\"V100R001B012\" FWVer=\"3.10.0.24\" FirmVer=\"TT_77616E6771696F6E67\") allows unauthenticated attackers to perform arbitrary modification (read, write) to passwords and configurations meanwhile an administrator is logged into the web panel.",
  "id": "GHSA-cfxc-8f2g-m9vp",
  "modified": "2022-05-14T03:15:07Z",
  "published": "2022-05-14T03:15:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8898"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44657"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147708/D-Link-DSL-3782-Authentication-Bypass.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG23-QF8F-62RR

Vulnerability from github – Published: 2024-11-13 18:29 – Updated: 2024-11-14 23:55
VLAI
Summary
Symfony has an Authentication Bypass via RememberMe
Details

Description

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Resolution

The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.4.47"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-BETA1"
            },
            {
              "fixed": "6.4.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-BETA1"
            },
            {
              "fixed": "7.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-13T18:29:04Z",
    "nvd_published_at": "2024-11-13T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nWhen consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.\n\n### Resolution\n\nThe `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4.\n\n### Credits\n\nWe would like to thank Moritz Rauch - Pentryx AG for reporting the issue and J\u00e9r\u00e9my Deruss\u00e9 for providing the fix.",
  "id": "GHSA-cg23-qf8f-62rr",
  "modified": "2024-11-14T23:55:43Z",
  "published": "2024-11-13T18:29:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2024-51996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony has an Authentication Bypass via RememberMe"
}

GHSA-CG2M-239P-9XHP

Vulnerability from github – Published: 2025-02-18 15:31 – Updated: 2025-02-19 21:31
VLAI
Details

A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding "?x=1.gif" to the the requested url, it will be recognized as passing the authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Netgear DGN2200 router with firmware version v1.0.0.46 and earlier permits unauthorized individuals to bypass the authentication. When adding \"?x=1.gif\" to the the requested url, it will be recognized as passing the authentication.",
  "id": "GHSA-cg2m-239p-9xhp",
  "modified": "2025-02-19T21:31:37Z",
  "published": "2025-02-18T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shuanunio/CVE_Requests/blob/main/Netgear/DGN2200/ACL%20bypass%20Vulnerability%20in%20Netgear%20DGN2200.md"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/about/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG2R-QPRP-QCH8

Vulnerability from github – Published: 2022-05-02 03:19 – Updated: 2022-05-02 03:19
VLAI
Details

S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-03-10T14:30:00Z",
    "severity": "HIGH"
  },
  "details": "S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.",
  "id": "GHSA-cg2r-qprp-qch8",
  "modified": "2022-05-02T03:19:01Z",
  "published": "2022-05-02T03:19:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0864"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48805"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/8071"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CG3P-9J97-F4W2

Vulnerability from github – Published: 2022-05-17 03:34 – Updated: 2025-04-12 12:47
VLAI
Details

HP TippingPoint Security Management System (SMS) and TippingPoint Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2 before patch 1 do not require authentication for JBoss RMI requests, which allows remote attackers to execute arbitrary code by (1) uploading this code within an archive or (2) instantiating a class.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-2117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-04-27T12:59:00Z",
    "severity": "HIGH"
  },
  "details": "HP TippingPoint Security Management System (SMS) and TippingPoint Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2 before patch 1 do not require authentication for JBoss RMI requests, which allows remote attackers to execute arbitrary code by (1) uploading this code within an archive or (2) instantiating a class.",
  "id": "GHSA-cg3p-9j97-f4w2",
  "modified": "2025-04-12T12:47:33Z",
  "published": "2022-05-17T03:34:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2117"
    },
    {
      "type": "WEB",
      "url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04626974"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/74285"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032187"
    },
    {
      "type": "WEB",
      "url": "http://zerodayinitiative.com/advisories/ZDI-15-154"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CG43-3Q5J-MWP7

Vulnerability from github – Published: 2025-02-07 18:31 – Updated: 2025-02-07 18:31
VLAI
Details

A vulnerability has been found in D-Link DHP-W310AV 1.04 and classified as critical. This vulnerability affects unknown code. The manipulation leads to authentication bypass by spoofing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-07T17:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in D-Link DHP-W310AV 1.04 and classified as critical. This vulnerability affects unknown code. The manipulation leads to authentication bypass by spoofing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-cg43-3q5j-mwp7",
  "modified": "2025-02-07T18:31:23Z",
  "published": "2025-02-07T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kn1g78/cve/blob/main/dlink.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.294934"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.294934"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.489958"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CG57-5MXP-25JG

Vulnerability from github – Published: 2022-05-02 03:31 – Updated: 2022-05-02 03:31
VLAI
Details

Mozilla Firefox 3.0.10, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-15T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Mozilla Firefox 3.0.10, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site\u0027s context, by modifying an http page to include an https iframe that references a script file on an http site, related to \"HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.\"",
  "id": "GHSA-cg57-5mxp-25jg",
  "modified": "2022-05-02T03:31:16Z",
  "published": "2022-05-02T03:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2065"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51189"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35403"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.