Common Weakness Enumeration

CWE-290

Allowed

Authentication Bypass by Spoofing

Abstraction: Base · Status: Incomplete

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

925 vulnerabilities reference this CWE, most recent first.

GHSA-R65X-2HQR-J5HF

Vulnerability from github – Published: 2026-03-03 00:40 – Updated: 2026-03-20 21:12
VLAI
Summary
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
Details

Summary

A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.25
  • Latest published version at update time: 2026.2.25
  • Patched version (pre-set for next release): 2026.2.26

Impact

In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.

Fix

  • Add device-auth payload v3 that signs normalized platform and deviceFamily.
  • Verify v3 first (fallback to v2 for compatibility), while pinning paired metadata server-side.
  • Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.
  • Add regression coverage for reconnect spoof attempts.

Fix Commit(s)

  • 7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a

Release Process Note

patched_versions is pre-set to the planned next release 2026.2.26; once that npm release is published, the advisory can be published without further field edits.

OpenClaw thanks @76embiid21 for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.25"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T00:40:12Z",
    "nvd_published_at": "2026-03-19T22:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA paired node device could reconnect with spoofed `platform`/`deviceFamily` metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.25`\n- Latest published version at update time: `2026.2.25`\n- Patched version (pre-set for next release): `2026.2.26`\n\n## Impact\n\nIn configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.\n\n## Fix\n\n- Add device-auth payload `v3` that signs normalized `platform` and `deviceFamily`.\n- Verify `v3` first (fallback to `v2` for compatibility), while pinning paired metadata server-side.\n- Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.\n- Add regression coverage for reconnect spoof attempts.\n\n## Fix Commit(s)\n\n- `7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release `2026.2.26`; once that npm release is published, the advisory can be published without further field edits.\n\nOpenClaw thanks @76embiid21 for reporting.",
  "id": "GHSA-r65x-2hqr-j5hf",
  "modified": "2026-03-20T21:12:24Z",
  "published": "2026-03-03T00:40:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy"
}

GHSA-R6RX-QWWM-WC39

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2025-01-03 00:31
VLAI
Details

Windows CryptoAPI Spoofing Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows CryptoAPI Spoofing Vulnerability.",
  "id": "GHSA-r6rx-qwwm-wc39",
  "modified": "2025-01-03T00:31:05Z",
  "published": "2022-10-12T12:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34689"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34689"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34689"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6XH-PQHR-V4XH

Vulnerability from github – Published: 2026-05-04 20:22 – Updated: 2026-05-12 13:37
VLAI
Summary
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
Details

Summary

MCP loopback owner context is derived from server-issued bearer tokens.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.21
  • Fixed version: 2026.4.22

Impact

The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.

Fix

The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.

Fix Commit(s)

  • 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19

Verification

  • The fix commit is contained in the public v2026.4.22 tag.
  • openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
  • Focused regression coverage for this path passed before publication.

OpenClaw thanks @VladimirEliTokarev for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:22:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\nMCP loopback owner context is derived from server-issued bearer tokens.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: \u003c= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nThe loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.\n\n## Fix\nThe MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.\n\n## Fix Commit(s)\n- 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @VladimirEliTokarev for reporting.",
  "id": "GHSA-r6xh-pqhr-v4xh",
  "modified": "2026-05-12T13:37:11Z",
  "published": "2026-05-04T20:22:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens"
}

GHSA-R8M8-J8RP-H564

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20
VLAI
Details

A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-13T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka \"Microsoft Edge Spoofing Vulnerability.\" This affects Microsoft Edge.",
  "id": "GHSA-r8m8-j8rp-h564",
  "modified": "2022-05-13T01:20:53Z",
  "published": "2022-05-13T01:20:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8425"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8425"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105255"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCH7-F4H5-X9RJ

Vulnerability from github – Published: 2019-08-23 00:04 – Updated: 2021-08-17 21:32
VLAI
Summary
Identity Spoofing in libp2p-secio
Details

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.

Recommendation

Update to version 0.9.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "libp2p-secio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-08-22T14:56:33Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Affected versions of `libp2p-secio` does not correctly verify that the `PeerId` of `DstPeer` matches the `PeerId` discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability. \n\n\n## Recommendation\n\nUpdate to version 0.9.0 or later.",
  "id": "GHSA-rch7-f4h5-x9rj",
  "modified": "2021-08-17T21:32:42Z",
  "published": "2019-08-23T00:04:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/js-libp2p-secio/pull/95"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:libp2p-secio:20180115"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Identity Spoofing in libp2p-secio"
}

GHSA-RCH9-592X-RRW8

Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2025-11-28 18:30
VLAI
Details

The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T15:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.",
  "id": "GHSA-rch9-592x-rrw8",
  "modified": "2025-11-28T18:30:16Z",
  "published": "2023-10-10T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30803"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4"
    },
    {
      "type": "WEB",
      "url": "https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/sangfor-ngaf-auth-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCJQ-RRM8-5G33

Vulnerability from github – Published: 2024-06-04 09:30 – Updated: 2025-04-03 00:31
VLAI
Details

Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T08:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.",
  "id": "GHSA-rcjq-rrm8-5g33",
  "modified": "2025-04-03T00:31:30Z",
  "published": "2024-06-04T09:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40332"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCMW-7MC7-3RJ7

Vulnerability from github – Published: 2026-04-30 20:44 – Updated: 2026-05-13 13:38
VLAI
Summary
Sentry's improper authentication on SAML SSO process allows user identity linking
Details

Impact

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

Self-hosted users are only vulnerable if the following conditions are met: - They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False). - A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance.

Patches

  • Sentry SaaS: The fix was deployed in April. No action is required.
  • Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.

Workarounds

User account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.

Users can manage their two-factor authentication settings through Account Settings > Security page. For step-by-step details, please see the Sentry helpdesk article.

Resources

  • https://github.com/getsentry/sentry/pull/113720

Please note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 26.4.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.12.0"
            },
            {
              "fixed": "26.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T20:44:24Z",
    "nvd_published_at": "2026-05-08T23:16:38Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry\u0027s private bug bounty program.\n\nThe vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.\n\nSelf-hosted users are only vulnerable if the following conditions are met:\n- They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False).\n- A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance. \n\n### Patches\n- [Sentry SaaS](https://sentry.io/): The fix was deployed in April. No action is required.\n- [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.\n\n### Workarounds\nUser account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim\u0027s user account. Organization administrators cannot do this on a user\u0027s behalf, this requires individual users to ensure 2FA has been enabled for their account.\n\nUsers can manage their two-factor authentication settings through Account Settings \u003e [Security](https://sentry.io/settings/account/security/) page. For step-by-step details, please see the Sentry [helpdesk article](https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account).\n\n### Resources\n\n- https://github.com/getsentry/sentry/pull/113720 \n\nPlease note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.",
  "id": "GHSA-rcmw-7mc7-3rj7",
  "modified": "2026-05-13T13:38:32Z",
  "published": "2026-04-30T20:44:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/113720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/releases/tag/26.4.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sentry\u0027s improper authentication on SAML SSO process allows user identity linking"
}

GHSA-RG2M-7V6J-W3WQ

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.",
  "id": "GHSA-rg2m-7v6j-w3wq",
  "modified": "2022-07-07T00:00:29Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1745"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG69-33G2-MP48

Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-11-03 21:33
VLAI
Details

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T17:15:48Z",
    "severity": "HIGH"
  },
  "details": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name  \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird \u003c 128.10.1 and Thunderbird \u003c 138.0.1.",
  "id": "GHSA-rg69-33g2-mp48",
  "modified": "2025-11-03T21:33:54Z",
  "published": "2025-05-14T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3875"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-34"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

CAPEC-473: Signature Spoof

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

CAPEC-476: Signature Spoofing by Misrepresentation

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-667: Bluetooth Impersonation AttackS (BIAS)

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.