CWE-648
AllowedIncorrect Use of Privileged APIs
Abstraction: Base · Status: Incomplete
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
113 vulnerabilities reference this CWE, most recent first.
GHSA-MQ5Q-GPGV-PWXW
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:41In usememos/memos 0.9.0 and prior, a user can archive any private memos, delete any shortcut, and edit any shortcut from other users via API.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4805"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:58:45Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "In usememos/memos 0.9.0 and prior, a user can archive any private memos, delete any shortcut, and edit any shortcut from other users via API.",
"id": "GHSA-mq5q-gpgv-pwxw",
"modified": "2023-01-10T15:41:58Z",
"published": "2022-12-28T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4805"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/b03f6a9b-e49b-42d6-a318-1d7afd985873"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Incorrect Use of Privileged APIs vulnerability"
}
GHSA-P76J-345F-QXPW
Vulnerability from github – Published: 2025-02-11 09:30 – Updated: 2025-07-02 18:30In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
{
"affected": [],
"aliases": [
"CVE-2025-0589"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T09:15:09Z",
"severity": "MODERATE"
},
"details": "In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.",
"id": "GHSA-p76j-345f-qxpw",
"modified": "2025-07-02T18:30:21Z",
"published": "2025-02-11T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0589"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2025/sa2025-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P7QM-4248-G65P
Vulnerability from github – Published: 2026-04-16 21:31 – Updated: 2026-06-30 03:36Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2025-54502"
],
"database_specific": {
"cwe_ids": [
"CWE-648",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T20:16:37Z",
"severity": "HIGH"
},
"details": "Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution.",
"id": "GHSA-p7qm-4248-g65p",
"modified": "2026-06-30T03:36:17Z",
"published": "2026-04-16T21:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-54502"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459023"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-54502.json"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7054.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PM44-X5X7-24C4
Vulnerability from github – Published: 2026-02-09 12:30 – Updated: 2026-06-05 14:25Vulnerability Overview
An authorization bypass vulnerability exists in Apache Airflow that allows authenticated users to access task execution logs without the required permissions.
The Flaw
The vulnerability affects environments using custom roles or granular permission settings. Normally, Airflow allows administrators to separate "Task" access (viewing the task state) from "Task Log" access (viewing the console output/logs).
In affected versions, the permission check for retrieving logs is insufficient. An authenticated user who has been granted access to view Tasks can successfully request and view Task Logs, even if they do not have the specific can_read permission for Logs.
Impact
- Confidentiality Loss: Task logs often contain sensitive operational data, debugging information, or potentially leaked secrets (environment variables, connection strings) that should not be visible to all users with basic task access.
- Broken Access Control: This bypasses the intended security model for restricted user roles.
Affected Versions
- Apache Airflow 3.1.0 through 3.1.6
Patches
Users should upgrade to Apache Airflow 3.1.7 or later, which enforces the correct permission checks for log access.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22922"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-11T21:40:06Z",
"nvd_published_at": "2026-02-09T11:16:13Z",
"severity": "MODERATE"
},
"details": "## Vulnerability Overview\n\nAn authorization bypass vulnerability exists in Apache Airflow that allows authenticated users to access task execution logs without the required permissions.\n\n## The Flaw\n\nThe vulnerability affects environments using custom roles or granular permission settings. Normally, Airflow allows administrators to separate \"Task\" access (viewing the task state) from \"Task Log\" access (viewing the console output/logs).\n\nIn affected versions, the permission check for retrieving logs is insufficient. An authenticated user who has been granted access to view Tasks can successfully request and view Task Logs, even if they do not have the specific `can_read` permission for Logs.\n\n## Impact\n\n- **Confidentiality Loss:** Task logs often contain sensitive operational data, debugging information, or potentially leaked secrets (environment variables, connection strings) that should not be visible to all users with basic task access.\n- **Broken Access Control:** This bypasses the intended security model for restricted user roles.\n\n## Affected Versions\n\n- Apache Airflow 3.1.0 through 3.1.6\n\n## Patches\n\nUsers should upgrade to Apache Airflow **3.1.7** or later, which enforces the correct permission checks for log access.",
"id": "GHSA-pm44-x5x7-24c4",
"modified": "2026-06-05T14:25:20Z",
"published": "2026-02-09T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22922"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/60412"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-11.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/gdb7vffhpmrj5hp1j0oj1j13o4vmsq40"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/02/09/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow Has an Authorization Bypass That Allows Unauthorized Task Log Access"
}
GHSA-PWFV-3CVG-9M4C
Vulnerability from github – Published: 2023-04-12 20:36 – Updated: 2025-02-06 20:02Impact
The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack:
{{velocity}}
$doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}')
$doc.authors.setContentAuthor('xwiki:XWiki.superadmin')
$doc.getRenderedContent()
{{/velocity}}
Patches
The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
Workarounds
There no easy workaround apart of upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-20380
- https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at security ML
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.4.1"
},
{
"fixed": "14.4.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29507"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-12T20:36:28Z",
"nvd_published_at": "2023-04-16T07:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. \nExample of such attack:\n\n```\n{{velocity}}\n$doc.setContent(\u0027{{velocity}}$xcontext.context.authorReference{{/velocity}}\u0027)\n$doc.authors.setContentAuthor(\u0027xwiki:XWiki.superadmin\u0027)\n$doc.getRenderedContent()\n{{/velocity}}\n```\n\n### Patches\nThe problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.\n\n### Workarounds\nThere no easy workaround apart of upgrading. \n\n### References\n\n * https://jira.xwiki.org/browse/XWIKI-20380\n * https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](https://jira.xwiki.org)\n* Email us at [security ML](mailto:security@xwiki.org)",
"id": "GHSA-pwfv-3cvg-9m4c",
"modified": "2025-02-06T20:02:23Z",
"published": "2023-04-12T20:36:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29507"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20380"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors"
}
GHSA-Q58C-X76H-3JHC
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:52A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
{
"affected": [],
"aliases": [
"CVE-2019-14811"
],
"database_specific": {
"cwe_ids": [
"CWE-648",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-03T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"id": "GHSA-q58c-x76h-3jhc",
"modified": "2024-04-04T01:52:35Z",
"published": "2022-05-24T16:55:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:2824"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2594"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Sep/15"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202004-03"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4518"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3V5-2GRC-429H
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:20Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:20:07Z",
"nvd_published_at": "2026-04-09T22:16:33Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.",
"id": "GHSA-r3v5-2grc-429h",
"modified": "2026-04-10T20:20:07Z",
"published": "2026-04-10T00:30:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35639"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve",
"withdrawn": "2026-04-10T20:20:07Z"
}
GHSA-R734-GFR8-7QJ8
Vulnerability from github – Published: 2025-04-17 15:32 – Updated: 2025-04-17 15:32Incorrect Use of Privileged APIs vulnerability in OpenText™ Operations Bridge Manager, OpenText™ Operations Bridge Suite (Containerized), OpenText™ UCMDB ( Classic and Containerized) allows Privilege Escalation.
The vulnerability could allow authenticated attackers to elevate user privileges. This issue affects Operations Bridge Manager: through 2021.05; Operations Bridge Suite (Containerized): through 2021.05; UCMDB ( Classic and Containerized): through 2021.05.
{
"affected": [],
"aliases": [
"CVE-2022-26323"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T15:15:45Z",
"severity": "HIGH"
},
"details": "Incorrect Use of Privileged APIs vulnerability in OpenText\u2122 Operations Bridge Manager, OpenText\u2122 Operations Bridge Suite (Containerized), OpenText\u2122 UCMDB ( Classic and Containerized) allows Privilege Escalation.\u00a0\n\nThe vulnerability could allow\u00a0authenticated attackers\u00a0to elevate user privileges.\u00a0This issue affects Operations Bridge Manager: through 2021.05; Operations Bridge Suite (Containerized): through 2021.05; UCMDB ( Classic and Containerized): through 2021.05.",
"id": "GHSA-r734-gfr8-7qj8",
"modified": "2025-04-17T15:32:36Z",
"published": "2025-04-17T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26323"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000039040?language=en_US"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000039044?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-R95W-889Q-X2GX
Vulnerability from github – Published: 2024-09-18 14:26 – Updated: 2024-11-18 16:27Impact
It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1.
Patches
The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters.
Workarounds
It's possible to fix manually the vulnerability by editing the document XWiki.Notifications.Code.NotificationPreferenceService to apply the changes performed in this commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.
References
- JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20337
- Commit: e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
Attribution
This vulnerability has been reported on Intigriti by @floerer
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "13.2-rc-1"
},
{
"fixed": "14.10.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46978"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-18T14:26:16Z",
"nvd_published_at": "2024-09-18T18:15:06Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIt\u0027s possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this.\nThis vulnerability is present in XWiki since 13.2-rc-1. \n\n### Patches\n\nThe vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. \n\n### Workarounds\n\nIt\u0027s possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in this commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.\n\n### References\n\n * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20337\n * Commit: e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability has been reported on Intigriti by @floerer",
"id": "GHSA-r95w-889q-x2gx",
"modified": "2024-11-18T16:27:14Z",
"published": "2024-09-18T14:26:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46978"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/4771573dac88e0cf04e30f1a8dfa183c048d503a"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/99193a7e9a203b5bb8b2583ac96f5f4d56b9aa1a"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/b9180b874a22e383ad5f2cd9e25bfed4594d4955"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20337"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "org.xwiki.platform:xwiki-platform-notifications-ui is missing checks for notification filter preferences editions"
}
GHSA-RV26-4V2M-CH64
Vulnerability from github – Published: 2025-01-31 09:31 – Updated: 2025-01-31 09:31Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call.
{
"affected": [],
"aliases": [
"CVE-2024-53007"
],
"database_specific": {
"cwe_ids": [
"CWE-648"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-31T08:15:08Z",
"severity": "MODERATE"
},
"details": "Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call.",
"id": "GHSA-rv26-4v2m-ch64",
"modified": "2025-01-31T09:31:49Z",
"published": "2025-01-31T09:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53007"
},
{
"type": "WEB",
"url": "https://www.bentley.com/advisories/be-2024-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.
Mitigation
Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.
Mitigation
If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call.
Mitigation
If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes.
Mitigation
Only call privileged APIs from safe, consistent and expected state.
Mitigation
Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges).
CAPEC-107: Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
CAPEC-234: Hijacking a privileged process
An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.