CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3238 vulnerabilities reference this CWE, most recent first.
GHSA-2XGG-2X8H-8XW4
Vulnerability from github – Published: 2026-07-14 00:09 – Updated: 2026-07-14 00:09Summary
Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent object and thereby modify the unauthorized rate record.
This affects ProjectRate, CustomerRate, and ActivityRate editing. The issue is caused by missing parent-child consistency validation and allows cross-project, cross-customer, or cross-activity tampering of billing-related configuration.
Details
The issue affects the following Web routes:
GET/POST /en/admin/project/{id}/rate/{rate}GET/POST /en/admin/customer/{id}/rate/{rate}GET/POST /en/admin/activity/{id}/rate/{rate}
In both cases, the parent object and the rate object are resolved independently from user-controlled route parameters. The controller only checks whether the current user may edit the parent object referenced by {id}, but it does not verify that the child rate object referenced by {rate} actually belongs to that same parent.
In these controllers, there is no validation such as:
$rate->getProject() === $project$rate->getCustomer() === $customer$rate->getActivity() === $activity
This missing binding check is especially notable because the API delete endpoints already enforce the expected parent-child relationship.
This shows that parent-child consistency is already a recognized invariant in the application design, but the Web edit endpoints fail to enforce it for projects, customers, and activities.
A PoC was provided, but removed for security reasons.
Impact
This vulnerability allows authenticated users to tamper with billing-related rate configuration outside their authorized project, customer, or activity scope. An attacker can modify rate values belonging to other teams or business domains, which can affect time-based settlement, inherited pricing, cost calculations, budget reporting, revenue reporting, and downstream invoice generation.
Because the issue directly persists changes into kimai2_projects_rates, kimai2_customers_rates, and kimai2_activities_rates, it is a real cross-scope integrity vulnerability rather than a UI-only flaw. The attack breaks team-based isolation boundaries for high-value financial configuration.
Solution
The rate edit forms for customers, projects and activities now verify that the rate belongs to the parent referenced in the URL and reject the request otherwise.
See https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4 for more information.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.56.0"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.57.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52826"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T00:09:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nKimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent object and thereby modify the unauthorized rate record.\n\nThis affects `ProjectRate`, `CustomerRate`, and `ActivityRate` editing. The issue is caused by missing parent-child consistency validation and allows cross-project, cross-customer, or cross-activity tampering of billing-related configuration.\n\n### Details\n\nThe issue affects the following Web routes:\n\n- `GET/POST /en/admin/project/{id}/rate/{rate}`\n- `GET/POST /en/admin/customer/{id}/rate/{rate}`\n- `GET/POST /en/admin/activity/{id}/rate/{rate}`\n\nIn both cases, the parent object and the rate object are resolved independently from user-controlled route parameters. The controller only checks whether the current user may edit the parent object referenced by `{id}`, but it does not verify that the child rate object referenced by `{rate}` actually belongs to that same parent.\n\nIn these controllers, there is no validation such as:\n\n- `$rate-\u003egetProject() === $project`\n- `$rate-\u003egetCustomer() === $customer`\n- `$rate-\u003egetActivity() === $activity`\n\nThis missing binding check is especially notable because the API delete endpoints already enforce the expected parent-child relationship.\n\nThis shows that parent-child consistency is already a recognized invariant in the application design, but the Web edit endpoints fail to enforce it for projects, customers, and activities.\n\n*A PoC was provided, but removed for security reasons.*\n\n### Impact\n\nThis vulnerability allows authenticated users to tamper with billing-related rate configuration outside their authorized project, customer, or activity scope. An attacker can modify rate values belonging to other teams or business domains, which can affect time-based settlement, inherited pricing, cost calculations, budget reporting, revenue reporting, and downstream invoice generation.\n\nBecause the issue directly persists changes into `kimai2_projects_rates`, `kimai2_customers_rates`, and `kimai2_activities_rates`, it is a real cross-scope integrity vulnerability rather than a UI-only flaw. The attack breaks team-based isolation boundaries for high-value financial configuration.\n\n# Solution\n\nThe rate edit forms for `customers`, `projects` and `activities` now verify that the rate belongs to the parent referenced in the URL and reject the request otherwise.\n\nSee [https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4](https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4) for more information.",
"id": "GHSA-2xgg-2x8h-8xw4",
"modified": "2026-07-14T00:09:35Z",
"published": "2026-07-14T00:09:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-2xgg-2x8h-8xw4"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation"
}
GHSA-2XJF-R5X5-5XPC
Vulnerability from github – Published: 2025-08-25 15:32 – Updated: 2025-08-25 15:32An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-45968"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T14:15:31Z",
"severity": "CRITICAL"
},
"details": "An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users\u0027 data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.",
"id": "GHSA-2xjf-r5x5-5xpc",
"modified": "2025-08-25T15:32:00Z",
"published": "2025-08-25T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45968"
},
{
"type": "WEB",
"url": "https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2XJR-FP46-9FHH
Vulnerability from github – Published: 2024-05-07 12:30 – Updated: 2024-05-07 12:30IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket.
{
"affected": [],
"aliases": [
"CVE-2024-4537"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T12:15:09Z",
"severity": "HIGH"
},
"details": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket.",
"id": "GHSA-2xjr-fp46-9fhh",
"modified": "2024-05-07T12:30:50Z",
"published": "2024-05-07T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4537"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XQP-GCM9-67F8
Vulnerability from github – Published: 2026-02-12 15:32 – Updated: 2026-06-04 09:30Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025.
{
"affected": [],
"aliases": [
"CVE-2025-13004"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T14:16:00Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025.",
"id": "GHSA-2xqp-gcm9-67f8",
"modified": "2026-06-04T09:30:34Z",
"published": "2026-02-12T15:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13004"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0063"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2XX8-J85V-J7WH
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-16 01:32A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "krayin/laravel-crm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-38532"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T01:32:19Z",
"nvd_published_at": "2026-04-14T16:16:43Z",
"severity": "HIGH"
},
"details": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.",
"id": "GHSA-2xx8-j85v-j7wh",
"modified": "2026-04-16T01:32:19Z",
"published": "2026-04-14T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38532"
},
{
"type": "WEB",
"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"
},
{
"type": "PACKAGE",
"url": "https://github.com/krayin/laravel-crm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php"
}
GHSA-3242-HVMP-WGVM
Vulnerability from github – Published: 2023-01-30 21:30 – Updated: 2023-02-07 00:30The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies.
{
"affected": [],
"aliases": [
"CVE-2022-4794"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T21:15:00Z",
"severity": "HIGH"
},
"details": "The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies.",
"id": "GHSA-3242-hvmp-wgvm",
"modified": "2023-02-07T00:30:26Z",
"published": "2023-01-30T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4794"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/feb4580d-df15-45c8-b59e-ad406e4b064c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32P9-VR87-6GX3
Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.
{
"affected": [],
"aliases": [
"CVE-2023-0689"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T06:15:08Z",
"severity": "MODERATE"
},
"details": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u0027mf_first_name\u0027 shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter\u0027s first name.",
"id": "GHSA-32p9-vr87-6gx3",
"modified": "2024-04-04T07:18:20Z",
"published": "2023-08-31T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0689"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2910040"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32R7-P8R7-9VWJ
Vulnerability from github – Published: 2023-05-23 06:30 – Updated: 2023-05-23 06:30Missing Authorization in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.
{
"affected": [],
"aliases": [
"CVE-2023-2844"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-23T04:15:09Z",
"severity": "HIGH"
},
"details": "Missing Authorization in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.",
"id": "GHSA-32r7-p8r7-9vwj",
"modified": "2023-05-23T06:30:36Z",
"published": "2023-05-23T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2844"
},
{
"type": "WEB",
"url": "https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-32WM-P53Q-684M
Vulnerability from github – Published: 2025-11-04 12:30 – Updated: 2025-11-10 21:30An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. This is a server-side authorization fix.
{
"affected": [],
"aliases": [
"CVE-2025-11690"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T11:15:37Z",
"severity": "HIGH"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users\u2019 vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. This is a server-side authorization fix.",
"id": "GHSA-32wm-p53q-684m",
"modified": "2025-11-10T21:30:31Z",
"published": "2025-11-04T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11690"
},
{
"type": "WEB",
"url": "https://advisories.ncsc.nl/2025/ncsc-2025-0350.html"
},
{
"type": "WEB",
"url": "https://medium.com/@ilnur.khakimov_86612/how-i-hacked-100-000-motorcycles-including-my-own-666bdb702b7d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32WX-4GXX-H48F
Vulnerability from github – Published: 2021-01-29 18:13 – Updated: 2021-01-26 03:45This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.
Impact
This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.
Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.
By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.
The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.
Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.
Forums that don't use the Tags extension are unaffected.
Patches
The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.
Workarounds
Version v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.
Forums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.
References
For more information
If you have any questions or comments about this advisory, please start a new discussion on our support forum.
If you discover a security vulnerability within Flarum, please send an e-mail to security@flarum.org. All security vulnerabilities will be promptly addressed. More details can be found in our security policy.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.0-beta.13"
},
"package": {
"ecosystem": "Packagist",
"name": "flarum/tags"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.0-beta.13.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-26T03:45:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.\n\n### Impact\nThis vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.\n\nUsers were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.\n\nBy moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.\n\nThe full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.\n\nForums that don\u0027t use restricted tags and don\u0027t use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion\u0027s tags.\n\nForums that don\u0027t use the Tags extension are unaffected.\n\n### Patches\nThe fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.\n\n### Workarounds\nVersion v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.\n\nForums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.\n\n### References\n\n- [Release announcement](https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132)\n- [GitHub issue](https://github.com/flarum/core/issues/2355)\n\n### For more information\nIf you have any questions or comments about this advisory, please start a new discussion on our [support forum](https://discuss.flarum.org/t/support).\n\nIf you discover a security vulnerability within Flarum, please send an e-mail to [security@flarum.org](mailto:security@flarum.org). All security vulnerabilities will be promptly addressed. More details can be found in our [security policy](https://github.com/flarum/core/security/policy).",
"id": "GHSA-32wx-4gxx-h48f",
"modified": "2021-01-26T03:45:41Z",
"published": "2021-01-29T18:13:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flarum/tags/security/advisories/GHSA-32wx-4gxx-h48f"
},
{
"type": "WEB",
"url": "https://github.com/flarum/core/issues/2355"
},
{
"type": "WEB",
"url": "https://github.com/flarum/tags/commit/c8fcd000857493f1e4cc00b6f2771ce388b93e9d"
},
{
"type": "WEB",
"url": "https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/flarum/tags"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Users can edit the tags of any discussion"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.