CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
GHSA-X7GC-R4XG-V7C2
Vulnerability from github – Published: 2024-04-29 09:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Piotnet Piotnet Addons For Elementor Pro.This issue affects Piotnet Addons For Elementor Pro: from n/a through 7.1.17.
{
"affected": [],
"aliases": [
"CVE-2024-33635"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-29T09:15:08Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in Piotnet Piotnet Addons For Elementor Pro.This issue affects Piotnet Addons For Elementor Pro: from n/a through 7.1.17.",
"id": "GHSA-x7gc-r4xg-v7c2",
"modified": "2026-04-28T21:35:00Z",
"published": "2024-04-29T09:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33635"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/piotnet-addons-for-elementor-pro/wordpress-piotnet-addons-for-elementor-pro-plugin-7-1-17-unauthenticated-arbitrary-post-page-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X7GJ-G5RM-R389
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup.
{
"affected": [],
"aliases": [
"CVE-2021-30810"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8, tvOS 15. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup.",
"id": "GHSA-x7gj-g5rm-r389",
"modified": "2022-05-24T19:18:00Z",
"published": "2022-05-24T19:18:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30810"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212814"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212815"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212819"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/61"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/62"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/63"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X7J3-RMWR-2RRX
Vulnerability from github – Published: 2025-01-18 09:30 – Updated: 2025-01-18 09:30The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
{
"affected": [],
"aliases": [
"CVE-2025-0515"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-18T07:15:09Z",
"severity": "MODERATE"
},
"details": "The Buzz Club \u2013 Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the \u0027cmsmasters_hide_admin_notice\u0027 function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to \u0027hide\u0027 on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.",
"id": "GHSA-x7j3-rmwr-2rrx",
"modified": "2025-01-18T09:30:22Z",
"published": "2025-01-18T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0515"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/buzz-club-night-club-dj-music-festival-event-wordpress-theme/17973992"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44ad056b-8995-4068-8b05-4fefb8d2ff0a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7J8-VVPF-Q2CR
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-13 21:30Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
{
"affected": [],
"aliases": [
"CVE-2026-39697"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T09:16:42Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in HBSS Technologies MAIO \u0026#8211; The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO \u0026#8211; The new AI GEO / SEO tool: from n/a through \u003c= 6.2.8.",
"id": "GHSA-x7j8-vvpf-q2cr",
"modified": "2026-04-13T21:30:36Z",
"published": "2026-04-08T09:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39697"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/maio-the-new-ai-geo-seo-tool/vulnerability/wordpress-maio-the-new-ai-geo-seo-tool-plugin-6-2-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7JF-V64X-878J
Vulnerability from github – Published: 2026-05-22 09:31 – Updated: 2026-05-22 09:31The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.
{
"affected": [],
"aliases": [
"CVE-2026-8684"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T09:16:33Z",
"severity": "MODERATE"
},
"details": "The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.",
"id": "GHSA-x7jf-v64x-878j",
"modified": "2026-05-22T09:31:28Z",
"published": "2026-05-22T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8684"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-api-handler.php#L43"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-api-handler.php#L43"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6567e63c-3129-47b2-a734-733eb599821a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7Q3-HV76-4Q29
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-28 00:31Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4.
{
"affected": [],
"aliases": [
"CVE-2025-68073"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:16:10Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GDPR CCPA Compliance Support: from n/a through \u003c= 2.7.4.",
"id": "GHSA-x7q3-hv76-4q29",
"modified": "2026-01-28T00:31:37Z",
"published": "2026-01-22T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68073"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X7RM-228H-8XH9
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:06A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data.
{
"affected": [],
"aliases": [
"CVE-2019-10175"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user\u0027s data.",
"id": "GHSA-x7rm-228h-8xh9",
"modified": "2024-04-04T01:06:09Z",
"published": "2022-05-24T16:49:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10175"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7W4-VFRH-FC3H
Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2023-10-27 20:43Jenkins Coverity Plugin 1.11.4 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:coverity"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36919"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-10T18:23:02Z",
"nvd_published_at": "2022-07-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Coverity Plugin 1.11.4 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-x7w4-vfrh-fc3h",
"modified": "2023-10-27T20:43:58Z",
"published": "2022-07-28T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36919"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2790%20%281%29"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2790%20(1)"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Coverity Plugin allows attackers with Overall/Read permission to enumerate credentials IDs"
}
GHSA-X7WV-5QG4-VMR6
Vulnerability from github – Published: 2025-04-29 14:03 – Updated: 2025-04-30 17:29Impact
When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.
To reproduce the problem, as a user without programming right, add an object of type XWiki.ComponentClass to any page and then edit the page as a user with programming right. There should be warning displayed, if not, the XWiki installation is vulnerable.
While such a warning didn't exist in any version of XWiki, only in XWiki 15.9 RC1 these kinds of warnings have been introduced which is why this is considered the first version that has this vulnerability. Before that, the advice was to be careful when editing pages edited by untrusted users.
Patches
This problem has been patched in XWiki 15.10.2, 16.4.3, and 16.8.0 RC1.
Workarounds
We're not aware of any workarounds apart from not editing pages that might have been edited by untrusted users as a user with programming rights, e.g., by using separate user accounts for admin and non-admin tasks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-component-wiki"
},
"ranges": [
{
"events": [
{
"introduced": "15.9-rc-1"
},
{
"fixed": "15.10.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-component-wiki"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-component-wiki"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.8.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32973"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T14:03:13Z",
"nvd_published_at": "2025-04-30T15:16:01Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nWhen a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an `XWiki.ComponentClass`, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.\n\nTo reproduce the problem, as a user without programming right, add an object of type `XWiki.ComponentClass` to any page and then edit the page as a user with programming right. There should be warning displayed, if not, the XWiki installation is vulnerable.\n\nWhile such a warning didn\u0027t exist in any version of XWiki, only in XWiki 15.9 RC1 these kinds of warnings have been introduced which is why this is considered the first version that has this vulnerability. Before that, the advice was to be careful when editing pages edited by untrusted users.\n\n### Patches\nThis problem has been patched in XWiki 15.10.2, 16.4.3, and 16.8.0 RC1.\n\n### Workarounds\nWe\u0027re not aware of any workarounds apart from not editing pages that might have been edited by untrusted users as a user with programming rights, e.g., by using separate user accounts for admin and non-admin tasks.",
"id": "GHSA-x7wv-5qg4-vmr6",
"modified": "2025-04-30T17:29:29Z",
"published": "2025-04-29T14:03:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x7wv-5qg4-vmr6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32973"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e050770331c9a63d12a3fd8a36d199f62"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22460"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right"
}
GHSA-X7XV-7M65-QGQ2
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
{
"affected": [],
"aliases": [
"CVE-2025-11754"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T07:17:26Z",
"severity": "HIGH"
},
"details": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027gdpr/v1/settings\u0027 REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.",
"id": "GHSA-x7xv-7m65-qgq2",
"modified": "2026-02-19T18:31:49Z",
"published": "2026-02-19T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11754"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3443083"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.