CWE-306
AllowedMissing Authentication for Critical Function
Abstraction: Base · Status: Draft
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
3450 vulnerabilities reference this CWE, most recent first.
GHSA-VHPF-RH57-X3V9
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2025-10-22 00:32Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).
{
"affected": [],
"aliases": [
"CVE-2022-26501"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-17T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Veeam Backup \u0026 Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).",
"id": "GHSA-vhpf-rh57-x3v9",
"modified": "2025-10-22T00:32:30Z",
"published": "2022-03-18T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26501"
},
{
"type": "WEB",
"url": "https://veeam.com"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26501"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4288"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHQ6-X73F-HJJX
Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-06-16 15:33An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of the device’s embedded web server’s availability.
{
"affected": [],
"aliases": [
"CVE-2026-0647"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T15:16:33Z",
"severity": "HIGH"
},
"details": "An improper authentication security issue exists within the 1794-AENTR adapter\u0027s embedded web server. The vulnerability allows an unauthenticated attacker to change the device\u0027s web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being\u00a0required. If exploited, this could lead to unauthorized access, account takeover, and loss of\u00a0the\u00a0device\u2019s embedded web server\u2019s\u00a0availability.",
"id": "GHSA-vhq6-x73f-hjjx",
"modified": "2026-06-16T15:33:51Z",
"published": "2026-06-16T15:33:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0647"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1775.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VHRM-3GMW-7RPC
Vulnerability from github – Published: 2023-05-23 21:30 – Updated: 2024-04-04 04:18Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs)
{
"affected": [],
"aliases": [
"CVE-2023-1837"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T19:15:09Z",
"severity": "HIGH"
},
"details": "Missing Authentication for critical function vulnerability in HYPR Server allows Authentication Bypass when using Legacy APIs.This issue affects HYPR Server: before 8.0 (with enabled Legacy APIs)\n\n",
"id": "GHSA-vhrm-3gmw-7rpc",
"modified": "2024-04-04T04:18:57Z",
"published": "2023-05-23T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1837"
},
{
"type": "WEB",
"url": "https://www.hypr.com/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ24-J7X3-73CW
Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-25 21:31Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication.
{
"affected": [],
"aliases": [
"CVE-2024-48442"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-24T18:15:09Z",
"severity": "MODERATE"
},
"details": "Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication.",
"id": "GHSA-vj24-j7x3-73cw",
"modified": "2024-10-25T21:31:27Z",
"published": "2024-10-24T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48442"
},
{
"type": "WEB",
"url": "https://medium.com/%40sengkyaut/unauthenticated-factory-mode-reset-and-at-command-injection-in-jboneos-or-jbonecloud-firmware-1dec156b7ddd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ73-R662-H884
Vulnerability from github – Published: 2023-04-27 03:30 – Updated: 2024-04-04 03:42Moxa MiiNePort E1 has a vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to perform arbitrary system operation or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2023-28697"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T02:15:09Z",
"severity": "CRITICAL"
},
"details": "Moxa MiiNePort E1 has a vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to perform arbitrary system operation or disrupt service.",
"id": "GHSA-vj73-r662-h884",
"modified": "2024-04-04T03:42:40Z",
"published": "2023-04-27T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28697"
},
{
"type": "WEB",
"url": "https://cdn-cms.azureedge.net/Moxa/media/PDIM/S100000223/MiiNePort%20E1%20Series_moxa-miineport-e1-series-firmware-v1.9.rom_Software%20Release%20History.pdf"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7021-eb43a-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ77-88VG-HQ2H
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37Honeywell equIP and Performance series IP cameras, multiple versions, A vulnerability exists where the affected product allows unauthenticated access to audio streaming over HTTP.
{
"affected": [],
"aliases": [
"CVE-2019-18230"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-31T22:15:00Z",
"severity": "HIGH"
},
"details": "Honeywell equIP and Performance series IP cameras, multiple versions, A vulnerability exists where the affected product allows unauthenticated access to audio streaming over HTTP.",
"id": "GHSA-vj77-88vg-hq2h",
"modified": "2024-04-04T02:37:34Z",
"published": "2022-05-24T17:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18230"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-304-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJC7-JRH9-9J86
Vulnerability from github – Published: 2026-07-06 21:22 – Updated: 2026-07-06 21:22title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: <= 0.4.41 severity: critical cve_request: true
Summary
Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and /api/usage/request-logs + /api/usage/request-details expose all users' request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.
Affected Endpoints
| Endpoint | Method | Issue |
|---|---|---|
/api/providers |
GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs |
/api/providers/:id |
GET | Read any single provider detail (IDOR) |
/api/providers |
POST | Create arbitrary provider connections with attacker-controlled API keys |
/api/providers/:id |
PUT | Modify any existing provider connection |
/api/providers/:id |
DELETE | Delete any provider connection |
/api/usage/stats |
GET | Exposes full plaintext API keys, per-account usage breakdown, cost data |
/api/usage/request-logs |
GET | Exposes all users' request logs (model, tokens, cost, timestamp, provider) |
/api/usage/request-details/:id |
GET | Exposes full conversation turns including system prompts, user messages, assistant responses |
/api/version |
GET | Exposes current version info |
/api/models |
GET | Exposes full model routing catalog |
/api/v1/models |
GET | Exposes model list |
Impact
Critical: Provider CRUD without authentication
An attacker can: 1. Add a malicious provider — inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router 2. Modify existing providers — replace API keys with attacker-controlled ones, redirect traffic 3. Delete all providers — cause complete denial of service 4. Read all provider configurations — harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses
Critical: Full API key leak via /api/usage/stats
The endpoint returns complete API key strings (e.g., sk-...) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.
Critical: Conversation history leak
/api/usage/request-details returns the full conversation history of other users' AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.
Steps to Reproduce
1. Unauthenticated read of all providers
curl -s https://<host>/api/providers
Returns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.
2. Create a provider without authentication
curl -X POST https://<host>/api/providers \
-H "Content-Type: application/json" \
-d '{"provider":"openai","authType":"apikey","name":"rogue","apiKey":"sk-attacker-controlled"}'
Returns the created connection object with a new UUID and isActive: true.
3. Modify an existing provider without authentication
curl -X PUT https://<host>/api/providers/<existing-uuid> \
-H "Content-Type: application/json" \
-d '{"name":"modified","apiKey":"sk-attacker-key"}'
Returns the updated connection object.
4. Delete a provider without authentication
curl -X DELETE https://<host>/api/providers/<existing-uuid>
Returns {"message":"Connection deleted successfully"}.
5. Read full usage stats with API keys
curl -s https://<host>/api/usage/stats
Returns full API key strings, per-account token/cost breakdown, recent requests.
6. Read request logs
curl -s "https://<host>/api/usage/request-logs?page=1&pageSize=50"
Returns paginated request logs with timestamps, models, providers, user emails, token counts.
7. Read full conversation
curl -s https://<host>/api/usage/request-details/<request-uuid>
Returns complete conversation turns for that request.
8. Read version info
curl -s https://<host>/api/version
Returns {"currentVersion":"0.4.19","latestVersion":"0.4.45","hasUpdate":true}.
Root Cause
The Next.js API routes under src/app/api/* lack authentication middleware on several endpoints. Specifically:
/api/providers/*— No auth check before CRUD operations on provider connections stored in the database/api/usage/stats— No auth check before returning aggregated usage data including full API keys/api/usage/request-logs— No auth check before returning request history/api/usage/request-details/:id— No auth check before returning full conversation contents
Suggested Fix
- Add authentication middleware to all
/api/providers/*routes (GET, POST, PUT, DELETE) - Add authentication middleware to all
/api/usage/*routes - Never return full API key strings in any API response — return masked keys only
- Never return GitHub Copilot tokens or similar OAuth secrets in API responses
- Implement proper authorization checks so users can only access their own data
- Add rate limiting to public endpoints
Resources
- https://github.com/decolua/9router
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.41"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:22:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "---\ntitle: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats\nproduct: 9Router\nversion: \u003c= 0.4.41\nseverity: critical\ncve_request: true\n---\n\n## Summary\n\nMultiple critical API security vulnerabilities were discovered in 9Router\u0027s Next.js dashboard. The `/api/providers` endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, `/api/usage/stats` exposes full plaintext API keys, and `/api/usage/request-logs` + `/api/usage/request-details` expose all users\u0027 request history and full conversation contents (including system prompts, user messages, assistant responses) without authentication.\n\n## Affected Endpoints\n\n| Endpoint | Method | Issue |\n|---|---|---|\n| `/api/providers` | GET | Lists all provider connections with partial credentials, OAuth tokens, account IDs |\n| `/api/providers/:id` | GET | Read any single provider detail (IDOR) |\n| `/api/providers` | POST | Create arbitrary provider connections with attacker-controlled API keys |\n| `/api/providers/:id` | PUT | Modify any existing provider connection |\n| `/api/providers/:id` | DELETE | Delete any provider connection |\n| `/api/usage/stats` | GET | Exposes full plaintext API keys, per-account usage breakdown, cost data |\n| `/api/usage/request-logs` | GET | Exposes all users\u0027 request logs (model, tokens, cost, timestamp, provider) |\n| `/api/usage/request-details/:id` | GET | Exposes full conversation turns including system prompts, user messages, assistant responses |\n| `/api/version` | GET | Exposes current version info |\n| `/api/models` | GET | Exposes full model routing catalog |\n| `/api/v1/models` | GET | Exposes model list |\n\n## Impact\n\n### Critical: Provider CRUD without authentication\n\nAn attacker can:\n1. **Add a malicious provider** \u2014 inject a provider that proxies through their server, capturing all prompts, responses, and API keys routed through 9Router\n2. **Modify existing providers** \u2014 replace API keys with attacker-controlled ones, redirect traffic\n3. **Delete all providers** \u2014 cause complete denial of service\n4. **Read all provider configurations** \u2014 harvest partial credentials, GitHub Copilot OAuth tokens, Cloudflare account IDs, email addresses\n\n### Critical: Full API key leak via /api/usage/stats\n\nThe endpoint returns complete API key strings (e.g., `sk-...`) in plaintext alongside usage data per key, enabling unauthorized use of connected AI provider accounts.\n\n### Critical: Conversation history leak\n\n`/api/usage/request-details` returns the full conversation history of other users\u0027 AI sessions, including system prompts, user messages, assistant responses, tool calls, and reasoning traces.\n\n## Steps to Reproduce\n\n### 1. Unauthenticated read of all providers\n\n```bash\ncurl -s https://\u003chost\u003e/api/providers\n```\n\nReturns all provider connections with email addresses, auth type, account IDs, and partial API key prefixes.\n\n### 2. Create a provider without authentication\n\n```bash\ncurl -X POST https://\u003chost\u003e/api/providers \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"provider\":\"openai\",\"authType\":\"apikey\",\"name\":\"rogue\",\"apiKey\":\"sk-attacker-controlled\"}\u0027\n```\n\nReturns the created connection object with a new UUID and `isActive: true`.\n\n### 3. Modify an existing provider without authentication\n\n```bash\ncurl -X PUT https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"modified\",\"apiKey\":\"sk-attacker-key\"}\u0027\n```\n\nReturns the updated connection object.\n\n### 4. Delete a provider without authentication\n\n```bash\ncurl -X DELETE https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e\n```\n\nReturns `{\"message\":\"Connection deleted successfully\"}`.\n\n### 5. Read full usage stats with API keys\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/stats\n```\n\nReturns full API key strings, per-account token/cost breakdown, recent requests.\n\n### 6. Read request logs\n\n```bash\ncurl -s \"https://\u003chost\u003e/api/usage/request-logs?page=1\u0026pageSize=50\"\n```\n\nReturns paginated request logs with timestamps, models, providers, user emails, token counts.\n\n### 7. Read full conversation\n\n```bash\ncurl -s https://\u003chost\u003e/api/usage/request-details/\u003crequest-uuid\u003e\n```\n\nReturns complete conversation turns for that request.\n\n### 8. Read version info\n\n```bash\ncurl -s https://\u003chost\u003e/api/version\n```\n\nReturns `{\"currentVersion\":\"0.4.19\",\"latestVersion\":\"0.4.45\",\"hasUpdate\":true}`.\n\n## Root Cause\n\nThe Next.js API routes under `src/app/api/*` lack authentication middleware on several endpoints. Specifically:\n\n- `/api/providers/*` \u2014 No auth check before CRUD operations on provider connections stored in the database\n- `/api/usage/stats` \u2014 No auth check before returning aggregated usage data including full API keys\n- `/api/usage/request-logs` \u2014 No auth check before returning request history\n- `/api/usage/request-details/:id` \u2014 No auth check before returning full conversation contents\n\n## Suggested Fix\n\n1. Add authentication middleware to all `/api/providers/*` routes (GET, POST, PUT, DELETE)\n2. Add authentication middleware to all `/api/usage/*` routes\n3. Never return full API key strings in any API response \u2014 return masked keys only\n4. Never return GitHub Copilot tokens or similar OAuth secrets in API responses\n5. Implement proper authorization checks so users can only access their own data\n6. Add rate limiting to public endpoints\n\n## Resources\n\n- https://github.com/decolua/9router",
"id": "GHSA-vjc7-jrh9-9j86",
"modified": "2026-07-06T21:22:10Z",
"published": "2026-07-06T21:22:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats"
}
GHSA-VJH7-5R6X-XH6G
Vulnerability from github – Published: 2023-07-17 14:36 – Updated: 2024-12-12 22:29Impact
Unauthenticated attackers can execute arbitrary commands as root on CasaOS instances.
Patches
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
References
- 391dd7f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/IceWhaleTech/CasaOS-Gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37265"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T14:36:09Z",
"nvd_published_at": "2023-07-17T21:15:09Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nUnauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.\n\n### Patches\n\nThe problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.\n\n### Workarounds\n\nUsers should upgrade to CasaOS 0.4.4. If they can\u0027t, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. \n\n### References\n\n- 391dd7f\n- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/",
"id": "GHSA-vjh7-5r6x-xh6g",
"modified": "2024-12-12T22:29:30Z",
"published": "2023-07-17T14:36:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37265"
},
{
"type": "WEB",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1932"
},
{
"type": "WEB",
"url": "https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CasaOS Gateway vulnerable to incorrect identification of source IP addresses"
}
GHSA-VJHJ-68J8-9Q56
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.
{
"affected": [],
"aliases": [
"CVE-2017-3819"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-15T20:59:00Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.",
"id": "GHSA-vjhj-68j8-9q56",
"modified": "2022-05-13T01:45:55Z",
"published": "2022-05-13T01:45:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3819"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96913"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJP9-58V6-M6FW
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-10-31 00:30Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the enc parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
{
"affected": [],
"aliases": [
"CVE-2021-4461"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:41Z",
"severity": "CRITICAL"
},
"details": "Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1\u00a0improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.",
"id": "GHSA-vjp9-58v6-m6fw",
"modified": "2025-10-31T00:30:32Z",
"published": "2025-10-31T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4461"
},
{
"type": "WEB",
"url": "https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml"
},
{
"type": "WEB",
"url": "https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20"
},
{
"type": "WEB",
"url": "https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
- Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
- In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
- Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
- In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
CAPEC-166: Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.
CAPEC-216: Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.