Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3216 vulnerabilities reference this CWE, most recent first.

CVE-2024-9819 (GCVE-0-2024-9819)

Vulnerability from cvelistv5 – Published: 2024-12-17 12:55 – Updated: 2026-06-02 06:56
VLAI
Title
IDOR in NextGEO's NG Analyser
Summary
Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse. This issue affects NG Analyser: before 2.2.711.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
NextGeography NG Analyser Affected: 0 , < 2.2.711 (custom)
Create a notification for this product.
Credits
Tunahan TEKEOGLU
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9819",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-17T15:24:59.210389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-17T17:34:03.447Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "NG Analyser",
          "vendor": "NextGeography",
          "versions": [
            {
              "lessThan": "2.2.711",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tunahan TEKEOGLU"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.\u003cp\u003eThis issue affects NG Analyser: before 2.2.711.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.\n\nThis issue affects NG Analyser: before 2.2.711."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-212",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-212 Functionality Misuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T06:56:08.601Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-24-1889"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1889"
        }
      ],
      "source": {
        "advisory": "TR-24-1889",
        "defect": [
          "TR-24-1889"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in NextGEO\u0027s NG Analyser",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2024-9819",
    "datePublished": "2024-12-17T12:55:32.225Z",
    "dateReserved": "2024-10-10T14:14:31.244Z",
    "dateUpdated": "2026-06-02T06:56:08.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9700 (GCVE-0-2024-9700)

Vulnerability from cvelistv5 – Published: 2024-10-31 05:31 – Updated: 2026-04-08 17:34
VLAI
Title
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation
Summary
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder Affected: 0 , ≤ 1.36.0 (semver)
Create a notification for this product.
wpmudev forminator_forms Affected: 0 , ≤ 1.36.0 (semver)
    cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Vijaysimha Reddy
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "forminator_forms",
            "vendor": "wpmudev",
            "versions": [
              {
                "lessThanOrEqual": "1.36.0",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9700",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-31T14:18:55.247395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T14:20:15.963Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder",
          "vendor": "wpmudev",
          "versions": [
            {
              "lessThanOrEqual": "1.36.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vijaysimha Reddy"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the \u0027entry_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to modify other user\u0027s quiz submissions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:34:37.518Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbed35ca-1630-46a4-8b1f-60cc7216f294?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.1/library/modules/quizzes/front/front-action.php#L548"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3172942"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-30T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder \u003c= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9700",
    "datePublished": "2024-10-31T05:31:23.699Z",
    "dateReserved": "2024-10-09T17:48:24.883Z",
    "dateUpdated": "2026-04-08T17:34:37.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9687 (GCVE-0-2024-9687)

Vulnerability from cvelistv5 – Published: 2024-10-15 02:03 – Updated: 2026-04-08 16:36
VLAI
Title
WP 2FA with Telegram <= 3.0 - Authenticated (Subscriber+) Authentication Bypass
Summary
The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
dueclic AuthPress Affected: 0 , ≤ 3.0 (semver)
Create a notification for this product.
dueclic wp_2fa_with_telegram Affected: 0 , ≤ 3.0 (semver)
    cpe:2.3:a:dueclic:wp_2fa_with_telegram:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
István Márton
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:dueclic:wp_2fa_with_telegram:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "wp_2fa_with_telegram",
            "vendor": "dueclic",
            "versions": [
              {
                "lessThanOrEqual": "3.0",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9687",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T15:39:38.467182Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T15:49:57.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AuthPress",
          "vendor": "dueclic",
          "versions": [
            {
              "lessThanOrEqual": "3.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Istv\u00e1n M\u00e1rton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the \u0027validate_tg\u0027 action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:36:40.926Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13b5292f-4484-498b-b6b7-2895871ab794?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/two-factor-login-telegram/tags/3.0/includes/class-wp-factor-telegram-plugin.php#L244"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-09T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2024-10-09T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2024-10-14T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP 2FA with Telegram \u003c= 3.0 - Authenticated (Subscriber+) Authentication Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9687",
    "datePublished": "2024-10-15T02:03:49.768Z",
    "dateReserved": "2024-10-09T13:14:36.188Z",
    "dateUpdated": "2026-04-08T16:36:40.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9637 (GCVE-0-2024-9637)

Vulnerability from cvelistv5 – Published: 2024-10-26 08:36 – Updated: 2026-04-08 16:48
VLAI
Title
School Management System – WPSchoolPress <= 2.2.10 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Summary
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
jdsofttech School Management System – WPSchoolPress Affected: 0 , ≤ 2.2.10 (semver)
Create a notification for this product.
jdsofttech school_management_system Affected: 0 , ≤ 2.2.10 (semver)
    cpe:2.3:a:jdsofttech:school_management_system:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
wesley
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jdsofttech:school_management_system:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "school_management_system",
            "vendor": "jdsofttech",
            "versions": [
              {
                "lessThanOrEqual": "2.2.10",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-28T19:21:04.039225Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-28T19:23:08.421Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "School Management System \u2013 WPSchoolPress",
          "vendor": "jdsofttech",
          "versions": [
            {
              "lessThanOrEqual": "2.2.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "wesley"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The School Management System \u2013 WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:48:34.081Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/411693fc-9df3-44b1-9a6f-58a6e8ef23b8?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wpschoolpress/tags/2.2.9/lib/wpsp-ajaxworks-teacher.php#L598"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3178510/wpschoolpress/trunk/lib/wpsp-ajaxworks-teacher.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-25T20:05:13.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "School Management System \u2013 WPSchoolPress \u003c= 2.2.10 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9637",
    "datePublished": "2024-10-26T08:36:00.481Z",
    "dateReserved": "2024-10-08T16:50:22.333Z",
    "dateUpdated": "2026-04-08T16:48:34.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9617 (GCVE-0-2024-9617)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-10-15 12:50
VLAI
Title
IDOR in danswer-ai/danswer
Summary
An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
danswer-ai danswer-ai/danswer Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9617",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:48:39.535713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:21:41.289Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "danswer-ai/danswer",
          "vendor": "danswer-ai",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user\u0027s file."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:50:47.220Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/8f683ff6-3a99-41c6-b763-a8f7b73bd146"
        }
      ],
      "source": {
        "advisory": "8f683ff6-3a99-41c6-b763-a8f7b73bd146",
        "discovery": "EXTERNAL"
      },
      "title": "IDOR in danswer-ai/danswer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-9617",
    "datePublished": "2025-03-20T10:10:25.706Z",
    "dateReserved": "2024-10-07T23:02:51.278Z",
    "dateUpdated": "2025-10-15T12:50:47.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-9554 (GCVE-0-2024-9554)

Vulnerability from cvelistv5 – Published: 2024-10-06 11:31 – Updated: 2024-10-07 13:49
VLAI
Title
Sovell Smart Canteen System Password Reset suanfa.py Check_ET_CheckPwdz201 authorization
Summary
A vulnerability classified as problematic was found in Sovell Smart Canteen System up to 3.0.7303.30513. Affected by this vulnerability is the function Check_ET_CheckPwdz201 of the file suanfa.py of the component Password Reset Handler. The manipulation leads to authorization bypass. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.279361 vdb-entrytechnical-description
https://vuldb.com/?ctiid.279361 signaturepermissions-required
https://vuldb.com/?submit.412954 third-party-advisory
https://github.com/qieziwa/Code_vulnerability/blo… related
Impacted products
Vendor Product Version
Sovell Smart Canteen System Affected: 3.0.7303.30513
Create a notification for this product.
sovell smart_canteen_system Affected: 3.0.7303.30513
    cpe:2.3:a:sovell:smart_canteen_system:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
qieziwa (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sovell:smart_canteen_system:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "smart_canteen_system",
            "vendor": "sovell",
            "versions": [
              {
                "status": "affected",
                "version": "3.0.7303.30513"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9554",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-07T13:46:59.565605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-07T13:49:11.679Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Password Reset Handler"
          ],
          "product": "Smart Canteen System",
          "vendor": "Sovell",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.7303.30513"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "qieziwa (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as problematic was found in Sovell Smart Canteen System up to 3.0.7303.30513. Affected by this vulnerability is the function Check_ET_CheckPwdz201 of the file suanfa.py of the component Password Reset Handler. The manipulation leads to authorization bypass. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "In Sovell Smart Canteen System bis 3.0.7303.30513 wurde eine problematische Schwachstelle entdeckt. Das betrifft die Funktion Check_ET_CheckPwdz201 der Datei suanfa.py der Komponente Password Reset Handler. Mittels dem Manipulieren mit unbekannten Daten kann eine authorization bypass-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-06T11:31:04.369Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-279361 | Sovell Smart Canteen System Password Reset suanfa.py Check_ET_CheckPwdz201 authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.279361"
        },
        {
          "name": "VDB-279361 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.279361"
        },
        {
          "name": "Submit #412954 | \u676d\u5dde\u96c4\u4f1f\u79d1\u6280\u5f00\u53d1\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u9910\u5385\u6570\u5b57\u5316 \u6700\u65b0 Authorization Bypass",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.412954"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/qieziwa/Code_vulnerability/blob/main/%E9%9B%84%E4%BC%9F-%E9%A4%90%E5%8E%85%E6%95%B0%E5%AD%97%E5%8C%96%E4%BB%BB%E6%84%8F%E5%AF%86%E7%A0%81%E9%87%8D%E7%BD%AE.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-10-05T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-10-05T19:02:16.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Sovell Smart Canteen System Password Reset suanfa.py Check_ET_CheckPwdz201 authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-9554",
    "datePublished": "2024-10-06T11:31:04.369Z",
    "dateReserved": "2024-10-05T16:57:06.367Z",
    "dateUpdated": "2024-10-07T13:49:11.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-9263 (GCVE-0-2024-9263)

Vulnerability from cvelistv5 – Published: 2024-10-17 03:32 – Updated: 2026-04-08 17:01
VLAI
Title
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Summary
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
arraytics Timetics – Appointment Booking & Scheduling Affected: 0 , ≤ 1.0.25 (semver)
Create a notification for this product.
arraytics timetics Affected: 0 , ≤ 1.0.25 (semver)
    cpe:2.3:a:arraytics:timetics:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
wesley
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:arraytics:timetics:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "timetics",
            "vendor": "arraytics",
            "versions": [
              {
                "lessThanOrEqual": "1.0.25",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9263",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T14:44:44.745672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T15:02:18.902Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Timetics \u2013 Appointment Booking \u0026 Scheduling",
          "vendor": "arraytics",
          "versions": [
            {
              "lessThanOrEqual": "1.0.25",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "wesley"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:01:13.486Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74bd595b-d2fa-4c62-82d2-dba2c2b128f0?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/customer.php#L299"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/customer.php"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/api-customer.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-16T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin \u003c= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9263",
    "datePublished": "2024-10-17T03:32:49.162Z",
    "dateReserved": "2024-09-26T20:13:08.336Z",
    "dateUpdated": "2026-04-08T17:01:13.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9262 (GCVE-0-2024-9262)

Vulnerability from cvelistv5 – Published: 2024-11-09 02:03 – Updated: 2026-04-08 16:51
VLAI
Title
User Meta – User Profile Builder and User management plugin <= 3.1.1 - Insecure Direct Object Reference to Sensitive Information Exposure
Summary
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
wesley
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T15:44:50.351301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T20:16:12.976Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "User Meta \u2013 User Profile Builder and User management plugin",
          "vendor": "khaledsaikat",
          "versions": [
            {
              "lessThanOrEqual": "3.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "wesley"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The User Meta \u2013 User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the  \u0027user-meta-public-profile\u0027 shortcode is used insecurely."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:51:54.880Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed81348-7604-4858-bc8e-b4504d77ee45?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/user-meta/trunk/models/classes/generate/PublicProfile.php#L28"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3221099%40user-meta\u0026new=3221099%40user-meta\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-11-08T14:02:02.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "User Meta \u2013 User Profile Builder and User management plugin \u003c= 3.1.1 - Insecure Direct Object Reference to Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9262",
    "datePublished": "2024-11-09T02:03:03.438Z",
    "dateReserved": "2024-09-26T19:47:01.131Z",
    "dateUpdated": "2026-04-08T16:51:54.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9215 (GCVE-0-2024-9215)

Vulnerability from cvelistv5 – Published: 2024-10-17 02:06 – Updated: 2026-04-08 17:24
VLAI
Title
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Summary
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
publishpress Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors Affected: 0 , ≤ 4.7.1 (semver)
Create a notification for this product.
publishpress authors Affected: 0 , ≤ 4.7.1 (semver)
    cpe:2.3:a:publishpress:authors:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
wesley
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:publishpress:authors:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "authors",
            "vendor": "publishpress",
            "versions": [
              {
                "lessThanOrEqual": "4.7.1",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9215",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T16:11:01.287328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T16:15:04.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors",
          "vendor": "publishpress",
          "versions": [
            {
              "lessThanOrEqual": "4.7.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "wesley"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the \u0027authors-user_id\u0027 user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user\u0027s account password and gain access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:24:51.431Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0506137-82e3-4988-9b23-370465a866c0?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/publishpress-authors/tags/4.7.1/src/core/Classes/Author_Editor.php#L594"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3169244%40publishpress-authors\u0026new=3169244%40publishpress-authors\u0026sfp_email=\u0026sfph_mail=#file7"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-16T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors \u003c= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-9215",
    "datePublished": "2024-10-17T02:06:04.689Z",
    "dateReserved": "2024-09-26T16:03:28.660Z",
    "dateUpdated": "2026-04-08T17:24:51.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-9097 (GCVE-0-2024-9097)

Vulnerability from cvelistv5 – Published: 2025-02-05 12:40 – Updated: 2025-02-12 20:51
VLAI
Title
IDOR
Summary
ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
ManageEngine Endpoint Central Affected: 0 , < 11.3.2440.09 (11.3.2440.09)
Create a notification for this product.
Credits
Vishnu Das from Temenos
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9097",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T13:56:34.454181Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:51:30.048Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.manageengine.com/products/desktop-central/",
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Endpoint Central",
          "vendor": "ManageEngine",
          "versions": [
            {
              "lessThan": "11.3.2440.09",
              "status": "affected",
              "version": "0",
              "versionType": "11.3.2440.09"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vishnu Das from Temenos"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ManageEngine Endpoint Central versions before\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "ManageEngine Endpoint Central versions before\u00a011.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-05T12:40:15.257Z",
        "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "shortName": "ManageEngine"
      },
      "references": [
        {
          "url": "https://www.manageengine.com/products/desktop-central/cve-2024-9097.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "IDOR",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
    "assignerShortName": "ManageEngine",
    "cveId": "CVE-2024-9097",
    "datePublished": "2025-02-05T12:40:15.257Z",
    "dateReserved": "2024-09-23T04:18:05.868Z",
    "dateUpdated": "2025-02-12T20:51:30.048Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.