Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

GHSA-35WF-3WQ2-R3HX

Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2023-03-13 19:15
VLAI
Summary
Moodle has Incorrect Default Permissions
Details

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0-beta"
            },
            {
              "fixed": "3.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0-beta"
            },
            {
              "fixed": "3.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T00:20:15Z",
    "nvd_published_at": "2023-03-06T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Moodle, insufficient capability checks made it possible to remove other users\u0027 calendar URL subscriptions.",
  "id": "GHSA-35wf-3wq2-r3hx",
  "modified": "2023-03-13T19:15:56Z",
  "published": "2023-03-07T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36400"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=424806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle has Incorrect Default Permissions"
}

GHSA-35XW-38XF-5F44

Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01
VLAI
Details

The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-29T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student",
  "id": "GHSA-35xw-38xf-5f44",
  "modified": "2022-09-02T00:01:15Z",
  "published": "2022-08-29T20:06:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2080"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1592596"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3677-P5Q3-VX7H

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-13 18:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T09:16:25Z",
    "severity": "LOW"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through \u003c= 3.6.11.",
  "id": "GHSA-3677-p5q3-vx7h",
  "modified": "2026-04-13T18:30:38Z",
  "published": "2026-04-08T09:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39510"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36PF-7582-RQCR

Vulnerability from github – Published: 2026-07-16 12:32 – Updated: 2026-07-16 12:32
VLAI
Details

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-16T12:17:35Z",
    "severity": "HIGH"
  },
  "details": "HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user\u0027s authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.",
  "id": "GHSA-36pf-7582-rqcr",
  "modified": "2026-07-16T12:32:29Z",
  "published": "2026-07-16T12:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35147"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36WC-4PRF-GP6G

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00
VLAI
Details

The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn\u0027t check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.",
  "id": "GHSA-36wc-4prf-gp6g",
  "modified": "2022-09-21T00:00:39Z",
  "published": "2022-09-17T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2913"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/5231ac18-ea9a-4bb9-af9f-e3d95a3b54f1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-375W-QXCP-H82P

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2026-06-03 18:33
VLAI
Details

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-12T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data.This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.",
  "id": "GHSA-375w-qxcp-h82p",
  "modified": "2026-06-03T18:33:05Z",
  "published": "2024-09-12T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3305"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1457"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1457"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-377J-R7WX-8V2H

Vulnerability from github – Published: 2025-12-17 09:30 – Updated: 2025-12-17 09:30
VLAI
Details

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-17T07:15:57Z",
    "severity": "HIGH"
  },
  "details": "The Ninja Forms \u2013 The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.",
  "id": "GHSA-377j-r7wx-8v2h",
  "modified": "2025-12-17T09:30:26Z",
  "published": "2025-12-17T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11924"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4240cdae-9122-443e-8a7e-3369e74384be?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37F6-M354-672C

Vulnerability from github – Published: 2022-03-08 00:00 – Updated: 2022-03-17 00:02
VLAI
Details

The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-07T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.",
  "id": "GHSA-37f6-m354-672c",
  "modified": "2022-03-17T00:02:55Z",
  "published": "2022-03-08T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0442"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-384Q-GQ9C-W4G3

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-06-03 00:00
VLAI
Details

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar \u003c= 4.9.0 at WordPress allows an attacker to edit or delete events.",
  "id": "GHSA-384q-gq9c-w4g3",
  "modified": "2022-06-03T00:00:58Z",
  "published": "2022-05-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29434"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-0-edit-delete-event-via-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/spiffy-calendar/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-393C-P46R-7C95

Vulnerability from github – Published: 2026-04-04 06:06 – Updated: 2026-04-09 19:05
VLAI
Summary
Directus: Path Traversal and Broken Access Control in File Management API
Details

Summary

A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filename_disk parameter.

Details

The PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.

Impact

  • Unauthorized File Overwrite: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
  • Remote Code Execution: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.
  • Data Integrity Compromise: Files can be tampered with or replaced without visible indication in the application interface.

Mitigation

The filename_disk parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and filename_disk should be excluded from the fields users are permitted to update directly.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:06:39Z",
    "nvd_published_at": "2026-04-09T17:16:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the `filename_disk` parameter.\n\n## Details\n\nThe `PATCH /files/{id}` endpoint accepts a user-controlled `filename_disk` parameter. By setting this value to match the storage path of another user\u0027s file, an attacker can overwrite that file\u0027s content while manipulating metadata fields such as `uploaded_by` to obscure the tampering.\n\n## Impact\n\n- **Unauthorized File Overwrite**: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.\n- **Remote Code Execution**: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.\n- **Data Integrity Compromise**: Files can be tampered with or replaced without visible indication in the application interface.\n\n## Mitigation\n\nThe `filename_disk` parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and `filename_disk` should be excluded from the fields users are permitted to update directly.",
  "id": "GHSA-393c-p46r-7c95",
  "modified": "2026-04-09T19:05:27Z",
  "published": "2026-04-04T06:06:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39942"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus: Path Traversal and Broken Access Control in File Management API"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.