Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5944 vulnerabilities reference this CWE, most recent first.

GHSA-97CV-6PJF-5F9Q

Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2024-09-04 20:55
VLAI
Summary
AsyncSSH SSH Server Authentication Bypass
Details

The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "AsyncSSH"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-7749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T22:53:06Z",
    "nvd_published_at": "2018-03-12T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.",
  "id": "GHSA-97cv-6pjf-5f9q",
  "modified": "2024-09-04T20:55:08Z",
  "published": "2022-05-14T01:29:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ronf/asyncssh/commit/16e6ebfa893167c7d9d3f6dc7a2c0d197e47f43a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ronf/asyncssh/commit/c161e26cdc0d41b745b63d9f17b437f073bf7ba4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2018-108.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ronf/asyncssh"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!msg/asyncssh-announce/57_5O7kiHSA/8BXZ_hxHAQAJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AsyncSSH SSH Server Authentication Bypass"
}

GHSA-97CV-X3Q8-67H7

Vulnerability from github – Published: 2022-05-01 23:39 – Updated: 2022-05-01 23:39
VLAI
Details

Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java Desktop System (JDS), when using the GNOME On-Screen Keyboard (GOK), allows local users to bypass authentication via unknown vectors that cause the screen saver to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-17T17:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java Desktop System (JDS), when using the GNOME On-Screen Keyboard (GOK), allows local users to bypass authentication via unknown vectors that cause the screen saver to crash.",
  "id": "GHSA-97cv-x3q8-67h7",
  "modified": "2022-05-01T23:39:21Z",
  "published": "2022-05-01T23:39:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1356"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41191"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29368"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-234661-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28243"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1019614"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0875/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97F5-M9J7-FPQ3

Vulnerability from github – Published: 2022-05-17 04:40 – Updated: 2022-05-17 04:40
VLAI
Details

(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-4168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-03T17:55:00Z",
    "severity": "MODERATE"
  },
  "details": "(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.",
  "id": "GHSA-97f5-m9j7-fpq3",
  "modified": "2022-05-17T04:40:41Z",
  "published": "2022-05-17T04:40:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4168"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yarrick/iodine/blob/b715be5cf3978fbe589b03b09c9398d0d791f850/CHANGELOG"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59417"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2964"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/06/16/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/06/18/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97G8-XFVW-Q4HG

Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-09-20 22:30
VLAI
Summary
Keycloak vulnerable to session takeover with OIDC offline refreshtokens
Details

An issue was discovered in Keycloak when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 19.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-304",
      "CWE-488",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T19:44:33Z",
    "nvd_published_at": "2023-09-20T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.\n\nThis issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.",
  "id": "GHSA-97g8-xfvw-q4hg",
  "modified": "2023-09-20T22:30:19Z",
  "published": "2022-12-13T19:44:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8961"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8962"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8963"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8965"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1047"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to session takeover with OIDC offline refreshtokens"
}

GHSA-97JF-46M3-8953

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-06-02 22:18
VLAI
Summary
Security feature bypass vulnerability in Azure Key Vault Keys library for Java
Details

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.azure:azure-security-keyvault-keys"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-02T22:18:30Z",
    "nvd_published_at": "2026-05-12T18:17:04Z",
    "severity": "CRITICAL"
  },
  "details": "The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.",
  "id": "GHSA-97jf-46m3-8953",
  "modified": "2026-06-02T22:18:30Z",
  "published": "2026-05-12T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azure/azure-sdk-for-java/pull/48476"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azure/azure-sdk-for-java/commit/1b5c5c79d85a5c9a9cfd07f6cdff6fd0f50eccf9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Azure/azure-sdk-for-java"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Security feature bypass vulnerability in Azure Key Vault Keys library for Java"
}

GHSA-97P9-9XPH-WFXF

Vulnerability from github – Published: 2022-05-01 17:50 – Updated: 2022-05-01 17:50
VLAI
Details

webSPELL 4.0, and possibly later versions, allows remote attackers to bypass authentication via a ws_auth cookie, a different vulnerability than CVE-2006-4782.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-1160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-03-02T21:18:00Z",
    "severity": "HIGH"
  },
  "details": "webSPELL 4.0, and possibly later versions, allows remote attackers to bypass authentication via a ws_auth cookie, a different vulnerability than CVE-2006-4782.",
  "id": "GHSA-97p9-9xph-wfxf",
  "modified": "2022-05-01T17:50:51Z",
  "published": "2022-05-01T17:50:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1160"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/33143"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/2337"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/460937/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97R5-PG8X-P63P

Vulnerability from github – Published: 2026-05-22 17:48 – Updated: 2026-05-22 17:48
VLAI
Summary
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Details

Summary

Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user.

If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth identity. The victim session is then treated as recently reauthenticated, allowing freshness-protected account actions to proceed. This was reproduced against the built-in /change-username route.

### Details

The issue is in the OAuth verification callback.

_oauth_response_common() resolves the OAuth provider identity to a Flask-Security user:

  • flask_security/oauth_glue.py:101-108

oauth_verify_response() then accepts any resolved user and updates the current session freshness timestamp:

  • flask_security/oauth_glue.py:182-214
  • flask_security/oauth_glue.py:201-204

The missing check is that the OAuth-resolved user must match the current authenticated session user. In the failing case:

  • current session user: victim@example.com
  • OAuth verified user: attacker@example.com
  • session marked fresh: yes

So the attacker is not logging in as the victim, but they are satisfying the victim session's reauthentication requirement with a different account.

### PoC

Tested version:

  • Flask-Security-Too 5.8.0
  • tag 5.8.0
  • commit 08288dff6907e413d848a16aaf43fc2c2b2a3b72

Used a minimal Flask app with:

```python SECURITY_OAUTH_ENABLE = True SECURITY_OAUTH_BUILTIN_PROVIDERS = ["github"] SECURITY_FRESHNESS = timedelta(seconds=1) SECURITY_FRESHNESS_GRACE_PERIOD = timedelta(seconds=0) SECURITY_USERNAME_ENABLE = True SECURITY_CHANGE_USERNAME = True

The OAuth provider was replaced with a localhost mock provider returning attacker@example.com. This avoids hitting a live third-party provider while still exercising Flask-Security-Too's real OAuth verification handler.

Reproduction steps:

  1. Log in as victim@example.com.
  2. Wait until the session is no longer fresh.
  3. Confirm POST /change-username is blocked with 401 and reauth_required=true.
  4. Start OAuth verification with POST /login/oauth-verify-start/ github.
  5. Complete the callback with an OAuth identity for attacker@example.com.
  6. Confirm the session is still for victim@example.com, but fs_paa has been updated.
  7. Retry POST /change-username.
  8. The victim user's username is changed successfully.

Observed result:

{ "pre_bypass_status": 401, "pre_bypass_reauth_required": true, "attacker_identity": "attacker@example.com", "oauth_verify_response_status": 302, "post_bypass_change_username_status": 200, "final_email": "victim@example.com", "final_username": "victimowned1777878574", "direct_impact_verified": true }

Note: CSRF was disabled in the local harness only to keep the test focused on the reauthentication check. This is not a CSRF bypass report.

This bypasses Flask-Security-Too's freshness/reauthentication boundary.

Applications using OAuth verification together with freshness- protected account operations may allow a stale victim session to be refreshed using a different user's OAuth account. In my test, this allowed the victim account's username to be changed through Flask- Security-Too's built-in /change-username route.

A likely fix is to reject OAuth verification unless the resolved OAuth user matches current_user before updating session["fs_paa"].

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-Security-Too"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.8.0"
            },
            {
              "fixed": "5.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-22T17:48:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n  Flask-Security-Too 5.8.0\u0027s OAuth reauthentication flow can mark a\n  session as fresh after verifying an OAuth account that belongs to a\n  different user.\n\n  If an attacker can operate an already-authenticated but stale victim\n  session, they can complete OAuth verification using their own OAuth\n  identity. The victim session is then treated as recently\n  reauthenticated, allowing freshness-protected account actions to\n  proceed. This was reproduced against the built-in `/change-username`\n  route.\n\n  ### Details\n\n  The issue is in the OAuth verification callback.\n\n  `_oauth_response_common()` resolves the OAuth provider identity to a\n  Flask-Security user:\n\n  - `flask_security/oauth_glue.py:101-108`\n\n  `oauth_verify_response()` then accepts any resolved user and updates\n  the current session freshness timestamp:\n\n  - `flask_security/oauth_glue.py:182-214`\n  - `flask_security/oauth_glue.py:201-204`\n\n  The missing check is that the OAuth-resolved user must match the\n  current authenticated session user. In the failing case:\n\n  - current session user: `victim@example.com`\n  - OAuth verified user: `attacker@example.com`\n  - session marked fresh: yes\n\n  So the attacker is not logging in as the victim, but they are\n  satisfying the victim session\u0027s reauthentication requirement with a\n  different account.\n\n  ### PoC\n\n  Tested version:\n\n  - `Flask-Security-Too 5.8.0`\n  - tag `5.8.0`\n  - commit `08288dff6907e413d848a16aaf43fc2c2b2a3b72`\n\n Used a minimal Flask app with:\n\n  ```python\n  SECURITY_OAUTH_ENABLE = True\n  SECURITY_OAUTH_BUILTIN_PROVIDERS = [\"github\"]\n  SECURITY_FRESHNESS = timedelta(seconds=1)\n  SECURITY_FRESHNESS_GRACE_PERIOD = timedelta(seconds=0)\n  SECURITY_USERNAME_ENABLE = True\n  SECURITY_CHANGE_USERNAME = True\n\n  The OAuth provider was replaced with a localhost mock provider\n  returning attacker@example.com. This avoids hitting a live third-party\n  provider while still exercising Flask-Security-Too\u0027s real OAuth\n  verification handler.\n\n  Reproduction steps:\n\n  1. Log in as victim@example.com.\n  2. Wait until the session is no longer fresh.\n  3. Confirm POST /change-username is blocked with 401 and\n     reauth_required=true.\n  4. Start OAuth verification with POST /login/oauth-verify-start/\n     github.\n  5. Complete the callback with an OAuth identity for\n     attacker@example.com.\n  6. Confirm the session is still for victim@example.com, but fs_paa has\n     been updated.\n  7. Retry POST /change-username.\n  8. The victim user\u0027s username is changed successfully.\n\n  Observed result:\n\n  {\n    \"pre_bypass_status\": 401,\n    \"pre_bypass_reauth_required\": true,\n    \"attacker_identity\": \"attacker@example.com\",\n    \"oauth_verify_response_status\": 302,\n    \"post_bypass_change_username_status\": 200,\n    \"final_email\": \"victim@example.com\",\n    \"final_username\": \"victimowned1777878574\",\n    \"direct_impact_verified\": true\n  }\n\n  Note: CSRF was disabled in the local harness only to keep the test\n  focused on the reauthentication check. This is not a CSRF bypass\n  report.\n\n  This bypasses Flask-Security-Too\u0027s freshness/reauthentication\n  boundary.\n\n  Applications using OAuth verification together with freshness-\n  protected account operations may allow a stale victim session to be\n  refreshed using a different user\u0027s OAuth account. In my test, this\n  allowed the victim account\u0027s username to be changed through Flask-\n  Security-Too\u0027s built-in /change-username route.\n\n  A likely fix is to reject OAuth verification unless the resolved OAuth\n  user matches current_user before updating session[\"fs_paa\"].",
  "id": "GHSA-97r5-pg8x-p63p",
  "modified": "2026-05-22T17:48:54Z",
  "published": "2026-05-22T17:48:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pallets-eco/flask-security/security/advisories/GHSA-97r5-pg8x-p63p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pallets-eco/flask-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Flask-Security-Too OAuth reauthentication freshness bypass via cross-   user OAuth identity acceptance"
}

GHSA-97X2-VJFG-FJHM

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14
VLAI
Details

An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-13T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations.",
  "id": "GHSA-97x2-vjfg-fjhm",
  "modified": "2022-05-24T17:14:03Z",
  "published": "2022-05-24T17:14:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11673"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/poll-wp/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9853-G727-5V8X

Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31
VLAI
Details

A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T19:16:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
  "id": "GHSA-9853-g727-5v8x",
  "modified": "2026-05-06T21:31:42Z",
  "published": "2026-05-06T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8031"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/800781"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361357"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361357/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9862-4M47-452H

Vulnerability from github – Published: 2022-05-02 03:49 – Updated: 2022-05-02 03:49
VLAI
Details

The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop Infrastructure (VDI) 3.0 does not require authentication, which allows remote attackers to obtain unspecified access via vectors involving requests to an Apache HTTP Server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-11-10T00:30:00Z",
    "severity": "HIGH"
  },
  "details": "The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop Infrastructure (VDI) 3.0 does not require authentication, which allows remote attackers to obtain unspecified access via vectors involving requests to an Apache HTTP Server.",
  "id": "GHSA-9862-4m47-452h",
  "modified": "2022-05-02T03:49:51Z",
  "published": "2022-05-02T03:49:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3923"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54136"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-141481-03-1"
    },
    {
      "type": "WEB",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-268328-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.