CWE-420
Unprotected Alternate Channel
BaseDraft
Description
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Hierarchy (View 1000)
CVEs mapped to this weakness (17)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52921 | Cri | 0.64 | 9.9 | 0.01 | Jun 23, 2025 | In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server. | |
| CVE-2026-40217 | Hig | 0.57 | 8.8 | 0.00 | Apr 10, 2026 | LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI. | |
| CVE-2025-8557 | Hig | 0.57 | 8.8 | 0.00 | Sep 11, 2025 | An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) network segment may be able to manipulate the local device to create an alternate communication channel which could allow the attacker, under certain conditions, to directly interact with backend LXCO API services typically inaccessible to users. While access controls may limit the scope of interaction, this could result in unauthorized access to internal functionality or data. This issue is not exploitable from remote networks. | |
| CVE-2025-41727 | Hig | 0.51 | 7.8 | 0.00 | Jan 27, 2026 | A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | |
| CVE-2025-59033 | Hig | 0.48 | 7.4 | 0.00 | Sep 8, 2025 | The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. Entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate's TBS hash along with a 'FileAttribRef' qualifier (such as file name or version) may not be blocked, whether hypervisor-protected code integrity (HVCI) is enabled or not. NOTE: The vendor disputes this CVE ID assignment and states that the driver blocklist is intended for use with HVCI. | |
| CVE-2024-6242 | Hig | 0.47 | — | 0.00 | Aug 1, 2024 | A vulnerability exists in Rockwell Automation affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis. | |
| CVE-2025-53967 | Hig | 0.45 | 8.0 | 0.00 | Oct 8, 2025 | Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize user-supplied input, enabling the attacker to inject malicious commands that are executed with the privileges of the MCP process. Exploitation requires network access to the MCP interface. | |
| CVE-2026-43505 | Med | 0.42 | 6.5 | 0.00 | May 1, 2026 | An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur. | |
| CVE-2024-4444 | Med | 0.35 | 5.3 | 0.01 | May 14, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | |
| CVE-2024-6099 | Med | 0.34 | 5.3 | 0.00 | Jul 2, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | |
| CVE-2025-66432 | Med | 0.33 | 5.0 | 0.00 | Nov 30, 2025 | In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date. | |
| CVE-2022-28693 | Med | 0.31 | 4.7 | 0.00 | Feb 14, 2025 | Unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | |
| CVE-2026-25916 | Med | 0.28 | 4.3 | 0.00 | Feb 9, 2026 | Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage. | |
| CVE-2025-62820 | Med | 0.25 | 4.9 | 0.00 | Oct 23, 2025 | Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network. | |
| CVE-2025-56558 | Low | 0.20 | 3.0 | 0.00 | Oct 29, 2025 | The Dyson MQTT server (2022 and possibly later) allows publications and subscriptions by a client that has the correct values of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and device serial number, even if a device (such as a Pure Hot+Cool device) has been removed and is not visible in the supported MyDyson app. This could allow an unexpected actor to obtain control and set the room temperature (up to 37 Celsius) if ownership of the device is transferred without wiping the device. NOTE: the Supplier's position is that this is a potential vulnerability that dates back 4 years ago in 2022 and "we are unable to replicate that anymore." Based on the submitted report, in order to leverage this issue, an attacker needs to own a Dyson device with full privileges, sniff for the AWS credentials, and then transfer ownership of that Dyson device to the victim. Even if these steps were successfully accomplished, the attacker only acquires the ability to configure the Dyson device within its safe operating range, and does not acquire the ability to execute code on the device or obtain sensitive information. | |
| CVE-2025-52968 | Low | 0.18 | 2.7 | 0.00 | Jun 23, 2025 | xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin. | |
| CVE-2026-35388 | Low | 0.16 | 2.5 | 0.00 | Apr 2, 2026 | OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. |