Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3238 vulnerabilities reference this CWE, most recent first.

GHSA-2XGG-2X8H-8XW4

Vulnerability from github – Published: 2026-07-14 00:09 – Updated: 2026-07-14 00:09
VLAI
Summary
Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation
Details

Summary

Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent object and thereby modify the unauthorized rate record.

This affects ProjectRate, CustomerRate, and ActivityRate editing. The issue is caused by missing parent-child consistency validation and allows cross-project, cross-customer, or cross-activity tampering of billing-related configuration.

Details

The issue affects the following Web routes:

  • GET/POST /en/admin/project/{id}/rate/{rate}
  • GET/POST /en/admin/customer/{id}/rate/{rate}
  • GET/POST /en/admin/activity/{id}/rate/{rate}

In both cases, the parent object and the rate object are resolved independently from user-controlled route parameters. The controller only checks whether the current user may edit the parent object referenced by {id}, but it does not verify that the child rate object referenced by {rate} actually belongs to that same parent.

In these controllers, there is no validation such as:

  • $rate->getProject() === $project
  • $rate->getCustomer() === $customer
  • $rate->getActivity() === $activity

This missing binding check is especially notable because the API delete endpoints already enforce the expected parent-child relationship.

This shows that parent-child consistency is already a recognized invariant in the application design, but the Web edit endpoints fail to enforce it for projects, customers, and activities.

A PoC was provided, but removed for security reasons.

Impact

This vulnerability allows authenticated users to tamper with billing-related rate configuration outside their authorized project, customer, or activity scope. An attacker can modify rate values belonging to other teams or business domains, which can affect time-based settlement, inherited pricing, cost calculations, budget reporting, revenue reporting, and downstream invoice generation.

Because the issue directly persists changes into kimai2_projects_rates, kimai2_customers_rates, and kimai2_activities_rates, it is a real cross-scope integrity vulnerability rather than a UI-only flaw. The attack breaks team-based isolation boundaries for high-value financial configuration.

Solution

The rate edit forms for customers, projects and activities now verify that the rate belongs to the parent referenced in the URL and reject the request otherwise.

See https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4 for more information.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.56.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.57.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T00:09:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nKimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent object and thereby modify the unauthorized rate record.\n\nThis affects `ProjectRate`, `CustomerRate`, and `ActivityRate` editing. The issue is caused by missing parent-child consistency validation and allows cross-project, cross-customer, or cross-activity tampering of billing-related configuration.\n\n### Details\n\nThe issue affects the following Web routes:\n\n- `GET/POST /en/admin/project/{id}/rate/{rate}`\n- `GET/POST /en/admin/customer/{id}/rate/{rate}`\n- `GET/POST /en/admin/activity/{id}/rate/{rate}`\n\nIn both cases, the parent object and the rate object are resolved independently from user-controlled route parameters. The controller only checks whether the current user may edit the parent object referenced by `{id}`, but it does not verify that the child rate object referenced by `{rate}` actually belongs to that same parent.\n\nIn these controllers, there is no validation such as:\n\n- `$rate-\u003egetProject() === $project`\n- `$rate-\u003egetCustomer() === $customer`\n- `$rate-\u003egetActivity() === $activity`\n\nThis missing binding check is especially notable because the API delete endpoints already enforce the expected parent-child relationship.\n\nThis shows that parent-child consistency is already a recognized invariant in the application design, but the Web edit endpoints fail to enforce it for projects, customers, and activities.\n\n*A PoC was provided, but removed for security reasons.*\n\n### Impact\n\nThis vulnerability allows authenticated users to tamper with billing-related rate configuration outside their authorized project, customer, or activity scope. An attacker can modify rate values belonging to other teams or business domains, which can affect time-based settlement, inherited pricing, cost calculations, budget reporting, revenue reporting, and downstream invoice generation.\n\nBecause the issue directly persists changes into `kimai2_projects_rates`, `kimai2_customers_rates`, and `kimai2_activities_rates`, it is a real cross-scope integrity vulnerability rather than a UI-only flaw. The attack breaks team-based isolation boundaries for high-value financial configuration.\n\n# Solution\n\nThe rate edit forms for `customers`, `projects` and `activities` now verify that the rate belongs to the parent referenced in the URL and reject the request otherwise.\n\nSee [https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4](https://www.kimai.org/en/security/ghsa-2xgg-2x8h-8xw4) for more information.",
  "id": "GHSA-2xgg-2x8h-8xw4",
  "modified": "2026-07-14T00:09:35Z",
  "published": "2026-07-14T00:09:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-2xgg-2x8h-8xw4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation"
}

GHSA-2XJF-R5X5-5XPC

Vulnerability from github – Published: 2025-08-25 15:32 – Updated: 2025-08-25 15:32
VLAI
Details

An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-25T14:15:31Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users\u0027 data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information.",
  "id": "GHSA-2xjf-r5x5-5xpc",
  "modified": "2025-08-25T15:32:00Z",
  "published": "2025-08-25T15:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45968"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@r3dd1t/pedindo-um-lanche-e-possivelemnte-descobrindo-uma-cve-9930b0114e3f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XJR-FP46-9FHH

Vulnerability from github – Published: 2024-05-07 12:30 – Updated: 2024-05-07 12:30
VLAI
Details

IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-07T12:15:09Z",
    "severity": "HIGH"
  },
  "details": "IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket.",
  "id": "GHSA-2xjr-fp46-9fhh",
  "modified": "2024-05-07T12:30:50Z",
  "published": "2024-05-07T12:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4537"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto-ticketing-software"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XQP-GCM9-67F8

Vulnerability from github – Published: 2026-02-12 15:32 – Updated: 2026-06-04 09:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T14:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025.",
  "id": "GHSA-2xqp-gcm9-67f8",
  "modified": "2026-06-04T09:30:34Z",
  "published": "2026-02-12T15:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13004"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0063"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-26-0063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XX8-J85V-J7WH

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-16 01:32
VLAI
Summary
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php
Details

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "krayin/laravel-crm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-38532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:32:19Z",
    "nvd_published_at": "2026-04-14T16:16:43Z",
    "severity": "HIGH"
  },
  "details": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.",
  "id": "GHSA-2xx8-j85v-j7wh",
  "modified": "2026-04-16T01:32:19Z",
  "published": "2026-04-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/krayin/laravel-crm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php"
}

GHSA-3242-HVMP-WGVM

Vulnerability from github – Published: 2023-01-30 21:30 – Updated: 2023-02-07 00:30
VLAI
Details

The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it (Reflected File Download) to bypass firewall rules in companies.",
  "id": "GHSA-3242-hvmp-wgvm",
  "modified": "2023-02-07T00:30:26Z",
  "published": "2023-01-30T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4794"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/feb4580d-df15-45c8-b59e-ad406e4b064c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32P9-VR87-6GX3

Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18
VLAI
Details

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T06:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the \u0027mf_first_name\u0027 shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter\u0027s first name.",
  "id": "GHSA-32p9-vr87-6gx3",
  "modified": "2024-04-04T07:18:20Z",
  "published": "2023-08-31T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0689"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2910040"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32R7-P8R7-9VWJ

Vulnerability from github – Published: 2023-05-23 06:30 – Updated: 2023-05-23 06:30
VLAI
Details

Missing Authorization in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-23T04:15:09Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.",
  "id": "GHSA-32r7-p8r7-9vwj",
  "modified": "2023-05-23T06:30:36Z",
  "published": "2023-05-23T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32WM-P53Q-684M

Vulnerability from github – Published: 2025-11-04 12:30 – Updated: 2025-11-10 21:30
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. This is a server-side authorization fix.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-04T11:15:37Z",
    "severity": "HIGH"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users\u2019 vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. This is a server-side authorization fix.",
  "id": "GHSA-32wm-p53q-684m",
  "modified": "2025-11-10T21:30:31Z",
  "published": "2025-11-04T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11690"
    },
    {
      "type": "WEB",
      "url": "https://advisories.ncsc.nl/2025/ncsc-2025-0350.html"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@ilnur.khakimov_86612/how-i-hacked-100-000-motorcycles-including-my-own-666bdb702b7d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32WX-4GXX-H48F

Vulnerability from github – Published: 2021-01-29 18:13 – Updated: 2021-01-26 03:45
VLAI
Summary
Users can edit the tags of any discussion
Details

This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.

Impact

This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.

Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.

By moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.

The full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.

Forums that don't use restricted tags and don't use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion's tags.

Forums that don't use the Tags extension are unaffected.

Patches

The fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.

Workarounds

Version v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.

Forums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.

References

For more information

If you have any questions or comments about this advisory, please start a new discussion on our support forum.

If you discover a security vulnerability within Flarum, please send an e-mail to security@flarum.org. All security vulnerabilities will be promptly addressed. More details can be found in our security policy.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.0-beta.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "flarum/tags"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.0-beta.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-26T03:45:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020.\n\n### Impact\nThis vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API.\n\nUsers were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums and maximums.\n\nBy moving the discussion to new tags, users were able to go around permissions applied to restricted tags. Depending on the setup, this can include publicly exposing content that was only visible to certain groups, or gain the ability to interact with content where such interaction was limited.\n\nThe full impact varies depending on the configuration of permissions and restricted tags, and which community extensions are being used. All tag-scoped permissions offered by extensions are impacted by this ability to go around them.\n\nForums that don\u0027t use restricted tags and don\u0027t use any extension that relies on tags for access control should not see any security impact. An update is still required to stop users from being able to change any discussion\u0027s tags.\n\nForums that don\u0027t use the Tags extension are unaffected.\n\n### Patches\nThe fix will be available in version v0.1.0-beta.14 with Flarum beta 14. The fix has already been back-ported to Flarum beta 13 as version v0.1.0-beta.13.2 of the Tags extension.\n\n### Workarounds\nVersion v0.1.0-beta.13.2 of the Tags extension allows existing Flarum beta 13 forums to fix the issue without the need to update to beta 14.\n\nForums that have not yet updated to Flarum beta 13 are encouraged to update as soon as possible.\n\n### References\n\n- [Release announcement](https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132)\n- [GitHub issue](https://github.com/flarum/core/issues/2355)\n\n### For more information\nIf you have any questions or comments about this advisory, please start a new discussion on our [support forum](https://discuss.flarum.org/t/support).\n\nIf you discover a security vulnerability within Flarum, please send an e-mail to [security@flarum.org](mailto:security@flarum.org). All security vulnerabilities will be promptly addressed. More details can be found in our [security policy](https://github.com/flarum/core/security/policy).",
  "id": "GHSA-32wx-4gxx-h48f",
  "modified": "2021-01-26T03:45:41Z",
  "published": "2021-01-29T18:13:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flarum/tags/security/advisories/GHSA-32wx-4gxx-h48f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/core/issues/2355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flarum/tags/commit/c8fcd000857493f1e4cc00b6f2771ce388b93e9d"
    },
    {
      "type": "WEB",
      "url": "https://discuss.flarum.org/d/25059-security-update-to-flarum-tags-010-beta132"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/flarum/tags"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Users can edit the tags of any discussion"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.