CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3216 vulnerabilities reference this CWE, most recent first.
GHSA-4WH7-QF8P-938F
Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-12288"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T15:15:37Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-4wh7-qf8p-938f",
"modified": "2025-10-27T15:30:42Z",
"published": "2025-10-27T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12288"
},
{
"type": "WEB",
"url": "https://github.com/4m3rr0r/PoCVulDb/blob/main/CVE-2025-12288.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.329956"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.329956"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.674883"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4WJP-4MM4-3WRH
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-01-13 21:30A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2024-7658"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-99"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:49Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, has been found in projectsend up to r1605. This issue affects the function get_preview of the file process.php. The manipulation leads to improper control of resource identifiers. The attack may be initiated remotely. Upgrading to version r1720 is able to address this issue. The patch is named eb5a04774927e5855b9d0e5870a2aae5a3dc5a08. It is recommended to upgrade the affected component.",
"id": "GHSA-4wjp-4mm4-3wrh",
"modified": "2025-01-13T21:30:47Z",
"published": "2024-08-12T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7658"
},
{
"type": "WEB",
"url": "https://github.com/projectsend/projectsend/commit/eb5a04774927e5855b9d0e5870a2aae5a3dc5a08"
},
{
"type": "WEB",
"url": "https://github.com/projectsend/projectsend/releases/tag/r1720"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.274115"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.274115"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.385000"
},
{
"type": "WEB",
"url": "https://www.kiyell.com/private-files-from-projectsend-idor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4X6R-9V57-3GQW
Vulnerability from github – Published: 2026-05-29 22:45 – Updated: 2026-05-29 22:45Summary
Type: Insecure Direct Object Reference. The dependency endpoints (POST/GET /workspaces/{workspace_id}/issues/{issue_id}/dependencies and DELETE .../dependencies/{dep_id}) gate access on require_workspace_member(workspace_id) only, then dispatch to DependencyService calls that take URL/body-supplied issue and dependency IDs without verifying any of them belong to the membership-checked workspace. Most damaging: create_dependency accepts body.depends_on_issue_id from the request body — that ID is checked against nothing — letting an attacker create a "blocks" or "related" link between any two issues anywhere in the database.
File: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58; services/dependency_service.py, lines 26-65.
Root cause: the same Depends(require_workspace_member) default-min-role pattern as the companion IDORs, plus a service layer (DependencyService) where every method takes raw IDs and queries them directly. create(issue_id, depends_on_issue_id, ...) writes a row with no workspace verification on either ID. list_for_issue(issue_id) returns dependencies in either direction. delete(dep_id) is a primary-key delete with no workspace predicate.
Affected Code
File 1: src/praisonai-platform/praisonai_platform/api/routes/dependencies.py, lines 22-58.
@router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
async def create_dependency(
workspace_id: str,
issue_id: str,
body: DependencyCreate,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
dep = await svc.create(issue_id, body.depends_on_issue_id, body.type) # <-- BUG: neither id is workspace-checked
return DependencyResponse.model_validate(dep)
@router.get("/", response_model=List[DependencyResponse])
async def list_dependencies(
workspace_id: str,
issue_id: str,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
deps = await svc.list_for_issue(issue_id) # <-- BUG: returns dependencies for any issue
return [DependencyResponse.model_validate(d) for d in deps]
@router.delete("/{dep_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_dependency(
workspace_id: str,
issue_id: str,
dep_id: str,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
svc = DependencyService(session)
deleted = await svc.delete(dep_id) # <-- BUG: deletes any dependency by id
if not deleted:
raise HTTPException(status_code=404, detail="Dependency not found")
File 2: src/praisonai-platform/praisonai_platform/services/dependency_service.py, lines 26-65.
async def create(self, issue_id: str, depends_on_issue_id: str, dep_type: str = "blocks") -> IssueDependency:
if dep_type not in VALID_TYPES:
raise ValueError(...)
dep = IssueDependency(
issue_id=issue_id, # <-- accepts any
depends_on_issue_id=depends_on_issue_id, # <-- accepts any (from request body)
type=dep_type,
)
self._session.add(dep); await self._session.flush(); return dep
async def list_for_issue(self, issue_id: str) -> list[IssueDependency]:
stmt = select(IssueDependency).where(
(IssueDependency.issue_id == issue_id) | (IssueDependency.depends_on_issue_id == issue_id)
)
return list((await self._session.execute(stmt)).scalars().all())
async def delete(self, dep_id: str) -> bool:
dep = await self.get(dep_id) # session.get(IssueDependency, dep_id) — no workspace check
...
Why it's wrong: the request-body depends_on_issue_id is the worst part: an attacker can link any two issues across any two workspaces, polluting both workspaces' dependency graphs with attacker-chosen relationships ("blocks", "blocked_by", "related"). The triagers in the foreign workspace see their issue suddenly blocked by an unrelated foreign issue, breaking sprint planning and creating false correlation. The delete(dep_id) path lets an attacker remove legitimate cross-issue links between any two foreign workspaces, also disrupting their planning. The list_for_issue path leaks the dependency graph for any issue in the deployment.
Exploit Chain
- Attacker is a member of workspace
W_attackerand harvests two foreign-workspace issue UUIDsI1(inW_target1) andI2(inW_target2). They leak via the activity feed, comment threads, error messages, exported dumps, the agent prompt history, or any other channel that ever serialises an issue ID. State: attacker holds two foreign issue UUIDs. - Attacker sends
POST /workspaces/W_attacker/issues/I1/dependencieswithAuthorization: Bearer <attacker_jwt>and body{"depends_on_issue_id": "I2", "type": "blocks"}. State: control flow enterscreate_dependencywithissue_id=I1(foreign),depends_on_issue_id=I2(foreign). require_workspace_member(W_attacker, attacker)passes (attacker is a member ofW_attacker).DependencyService.create(I1, I2, "blocks")writes a new rowIssueDependency(issue_id=I1, depends_on_issue_id=I2, type="blocks"). State: there is now a cross-workspace dependency between two foreign issues, written by the attacker.- The triage UIs of
W_target1andW_target2now show that the foreign issue is blocked by an unrelated issue in another workspace. Workflow rules that key off "cannot close while blocked" will refuse to let the legitimate triagers closeI1. State: foreign workflow disrupted. - Attacker repeats with
GET /workspaces/W_attacker/issues/I1/dependenciesto read the dependency graph for any foreign issue (information disclosure, project relationship mapping), or withDELETE .../{dep_id}(after enumerating dep_ids via the list call) to strip legitimate dependencies between foreign issues, breaking blocked-by chains. - Final state: with one workspace-member token, the attacker reads, writes, and deletes dependencies on every issue in the multi-tenant deployment, polluting the dependency graphs of foreign workspaces.
Security Impact
Severity: sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (cross-workspace dependency graph disclosure), high integrity (cross-workspace dependency injection and deletion), no availability claim (workflow disruption is integrity, not availability).
Attacker capability: read any issue's dependency graph; create arbitrary "blocks" / "blocked_by" / "related" links between any two issues across any two workspaces; delete any dependency by id. The most surprising primitive is the cross-workspace LINKING — the only one of the IDORs in this codebase where a single attacker request can affect TWO foreign workspaces at once.
Preconditions: praisonai-platform is deployed multi-tenant; attacker has any membership token; foreign issue UUIDs are reachable.
Differential: source-inspection-verified end-to-end. The asymmetry between this service (no workspace predicate anywhere) and MemberService.get(workspace_id, user_id) (correctly composite-keyed) confirms the gap. With the suggested fix below, the route would resolve both the URL issue_id and the body depends_on_issue_id against IssueService.get(workspace_id, ...) before allowing the dependency to be written.
Suggested Fix
Resolve every issue id (URL and body) against workspace_id at the route layer before dispatching. The route helper from the issue-IDOR companion advisory can be reused.
--- a/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py
@@ -22,11 +22,16 @@
@router.post("/", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)
async def create_dependency(
workspace_id: str,
issue_id: str,
body: DependencyCreate,
user: AuthIdentity = Depends(require_workspace_member),
session: AsyncSession = Depends(get_db),
):
+ issue_svc = IssueService(session)
+ if await issue_svc.get(workspace_id, issue_id) is None:
+ raise HTTPException(status_code=404, detail="Issue not found")
+ if await issue_svc.get(workspace_id, body.depends_on_issue_id) is None:
+ raise HTTPException(status_code=404, detail="depends_on_issue_id not found in this workspace")
svc = DependencyService(session)
dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)
return DependencyResponse.model_validate(dep)
Apply the same issue_svc.get(workspace_id, issue_id) precondition to list_dependencies and delete_dependency (verifying both the issue and the dependency belong to workspace_id).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.2"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47406"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:45:48Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n**Type:** Insecure Direct Object Reference. The dependency endpoints (`POST/GET /workspaces/{workspace_id}/issues/{issue_id}/dependencies` and `DELETE .../dependencies/{dep_id}`) gate access on `require_workspace_member(workspace_id)` only, then dispatch to `DependencyService` calls that take URL/body-supplied issue and dependency IDs without verifying any of them belong to the membership-checked workspace. Most damaging: `create_dependency` accepts `body.depends_on_issue_id` from the request body \u2014 that ID is checked against nothing \u2014 letting an attacker create a \"blocks\" or \"related\" link between any two issues anywhere in the database.\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/dependencies.py`, lines 22-58; `services/dependency_service.py`, lines 26-65.\n**Root cause:** the same `Depends(require_workspace_member)` default-min-role pattern as the companion IDORs, plus a service layer (`DependencyService`) where every method takes raw IDs and queries them directly. `create(issue_id, depends_on_issue_id, ...)` writes a row with no workspace verification on either ID. `list_for_issue(issue_id)` returns dependencies in either direction. `delete(dep_id)` is a primary-key delete with no workspace predicate.\n\n## Affected Code\n\n**File 1:** `src/praisonai-platform/praisonai_platform/api/routes/dependencies.py`, lines 22-58.\n\n```python\n@router.post(\"/\", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)\nasync def create_dependency(\n workspace_id: str,\n issue_id: str,\n body: DependencyCreate,\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n):\n svc = DependencyService(session)\n dep = await svc.create(issue_id, body.depends_on_issue_id, body.type) # \u003c-- BUG: neither id is workspace-checked\n return DependencyResponse.model_validate(dep)\n\n\n@router.get(\"/\", response_model=List[DependencyResponse])\nasync def list_dependencies(\n workspace_id: str,\n issue_id: str,\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n):\n svc = DependencyService(session)\n deps = await svc.list_for_issue(issue_id) # \u003c-- BUG: returns dependencies for any issue\n return [DependencyResponse.model_validate(d) for d in deps]\n\n\n@router.delete(\"/{dep_id}\", status_code=status.HTTP_204_NO_CONTENT)\nasync def delete_dependency(\n workspace_id: str,\n issue_id: str,\n dep_id: str,\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n):\n svc = DependencyService(session)\n deleted = await svc.delete(dep_id) # \u003c-- BUG: deletes any dependency by id\n if not deleted:\n raise HTTPException(status_code=404, detail=\"Dependency not found\")\n```\n\n**File 2:** `src/praisonai-platform/praisonai_platform/services/dependency_service.py`, lines 26-65.\n\n```python\nasync def create(self, issue_id: str, depends_on_issue_id: str, dep_type: str = \"blocks\") -\u003e IssueDependency:\n if dep_type not in VALID_TYPES:\n raise ValueError(...)\n dep = IssueDependency(\n issue_id=issue_id, # \u003c-- accepts any\n depends_on_issue_id=depends_on_issue_id, # \u003c-- accepts any (from request body)\n type=dep_type,\n )\n self._session.add(dep); await self._session.flush(); return dep\n\nasync def list_for_issue(self, issue_id: str) -\u003e list[IssueDependency]:\n stmt = select(IssueDependency).where(\n (IssueDependency.issue_id == issue_id) | (IssueDependency.depends_on_issue_id == issue_id)\n )\n return list((await self._session.execute(stmt)).scalars().all())\n\nasync def delete(self, dep_id: str) -\u003e bool:\n dep = await self.get(dep_id) # session.get(IssueDependency, dep_id) \u2014 no workspace check\n ...\n```\n\n**Why it\u0027s wrong:** the request-body `depends_on_issue_id` is the worst part: an attacker can link any two issues across any two workspaces, polluting both workspaces\u0027 dependency graphs with attacker-chosen relationships (\"blocks\", \"blocked_by\", \"related\"). The triagers in the foreign workspace see their issue suddenly blocked by an unrelated foreign issue, breaking sprint planning and creating false correlation. The `delete(dep_id)` path lets an attacker remove legitimate cross-issue links between any two foreign workspaces, also disrupting their planning. The `list_for_issue` path leaks the dependency graph for any issue in the deployment.\n\n## Exploit Chain\n\n1. Attacker is a member of workspace `W_attacker` and harvests two foreign-workspace issue UUIDs `I1` (in `W_target1`) and `I2` (in `W_target2`). They leak via the activity feed, comment threads, error messages, exported dumps, the agent prompt history, or any other channel that ever serialises an issue ID. State: attacker holds two foreign issue UUIDs.\n2. Attacker sends `POST /workspaces/W_attacker/issues/I1/dependencies` with `Authorization: Bearer \u003cattacker_jwt\u003e` and body `{\"depends_on_issue_id\": \"I2\", \"type\": \"blocks\"}`. State: control flow enters `create_dependency` with `issue_id=I1` (foreign), `depends_on_issue_id=I2` (foreign).\n3. `require_workspace_member(W_attacker, attacker)` passes (attacker is a member of `W_attacker`). `DependencyService.create(I1, I2, \"blocks\")` writes a new row `IssueDependency(issue_id=I1, depends_on_issue_id=I2, type=\"blocks\")`. State: there is now a cross-workspace dependency between two foreign issues, written by the attacker.\n4. The triage UIs of `W_target1` and `W_target2` now show that the foreign issue is blocked by an unrelated issue in another workspace. Workflow rules that key off \"cannot close while blocked\" will refuse to let the legitimate triagers close `I1`. State: foreign workflow disrupted.\n5. Attacker repeats with `GET /workspaces/W_attacker/issues/I1/dependencies` to read the dependency graph for any foreign issue (information disclosure, project relationship mapping), or with `DELETE .../{dep_id}` (after enumerating dep_ids via the list call) to strip legitimate dependencies between foreign issues, breaking blocked-by chains.\n6. Final state: with one workspace-member token, the attacker reads, writes, and deletes dependencies on every issue in the multi-tenant deployment, polluting the dependency graphs of foreign workspaces.\n\n## Security Impact\n\n**Severity:** sec-high. CVSS 7.6: network attack, low complexity, low privileges, no user interaction, scope unchanged, high confidentiality (cross-workspace dependency graph disclosure), high integrity (cross-workspace dependency injection and deletion), no availability claim (workflow disruption is integrity, not availability).\n**Attacker capability:** read any issue\u0027s dependency graph; create arbitrary \"blocks\" / \"blocked_by\" / \"related\" links between any two issues across any two workspaces; delete any dependency by id. The most surprising primitive is the cross-workspace LINKING \u2014 the only one of the IDORs in this codebase where a single attacker request can affect TWO foreign workspaces at once.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant; attacker has any membership token; foreign issue UUIDs are reachable.\n**Differential:** source-inspection-verified end-to-end. The asymmetry between this service (no workspace predicate anywhere) and `MemberService.get(workspace_id, user_id)` (correctly composite-keyed) confirms the gap. With the suggested fix below, the route would resolve both the URL `issue_id` and the body `depends_on_issue_id` against `IssueService.get(workspace_id, ...)` before allowing the dependency to be written.\n\n## Suggested Fix\n\nResolve every issue id (URL and body) against `workspace_id` at the route layer before dispatching. The route helper from the issue-IDOR companion advisory can be reused.\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py\n+++ b/src/praisonai-platform/praisonai_platform/api/routes/dependencies.py\n@@ -22,11 +22,16 @@\n @router.post(\"/\", response_model=DependencyResponse, status_code=status.HTTP_201_CREATED)\n async def create_dependency(\n workspace_id: str,\n issue_id: str,\n body: DependencyCreate,\n user: AuthIdentity = Depends(require_workspace_member),\n session: AsyncSession = Depends(get_db),\n ):\n+ issue_svc = IssueService(session)\n+ if await issue_svc.get(workspace_id, issue_id) is None:\n+ raise HTTPException(status_code=404, detail=\"Issue not found\")\n+ if await issue_svc.get(workspace_id, body.depends_on_issue_id) is None:\n+ raise HTTPException(status_code=404, detail=\"depends_on_issue_id not found in this workspace\")\n svc = DependencyService(session)\n dep = await svc.create(issue_id, body.depends_on_issue_id, body.type)\n return DependencyResponse.model_validate(dep)\n```\n\nApply the same `issue_svc.get(workspace_id, issue_id)` precondition to `list_dependencies` and `delete_dependency` (verifying both the issue and the dependency belong to `workspace_id`).",
"id": "GHSA-4x6r-9v57-3gqw",
"modified": "2026-05-29T22:45:48Z",
"published": "2026-05-29T22:45:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4x6r-9v57-3gqw"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks"
}
GHSA-4X7J-P5GV-29XF
Vulnerability from github – Published: 2024-05-06 18:30 – Updated: 2026-04-28 21:35Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.6.1.
{
"affected": [],
"aliases": [
"CVE-2024-34383"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-06T18:15:08Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.6.1.",
"id": "GHSA-4x7j-p5gv-29xf",
"modified": "2026-04-28T21:35:04Z",
"published": "2024-05-06T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34383"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-seopress/wordpress-seopress-plugin-7-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X7Q-PRXG-7HXW
Vulnerability from github – Published: 2024-04-16 00:30 – Updated: 2024-04-16 00:30An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.
{
"affected": [],
"aliases": [
"CVE-2024-1626"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T00:15:09Z",
"severity": "CRITICAL"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project\u0027s ID in the PATCH request to the \u0027/v1/projects/:projectId\u0027 endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.",
"id": "GHSA-4x7q-prxg-7hxw",
"modified": "2024-04-16T00:30:33Z",
"published": "2024-04-16T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1626"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d58572bc"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/ccc291db-ae9c-403c-b6b5-6fe3f4800933"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X8M-CHWM-9H7P
Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2025-03-06 18:31ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access.
This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.
{
"affected": [],
"aliases": [
"CVE-2025-0337"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T17:15:22Z",
"severity": "HIGH"
},
"details": "ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access. \n\nThis issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.",
"id": "GHSA-4x8m-chwm-9h7p",
"modified": "2025-03-06T18:31:11Z",
"published": "2025-03-06T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0337"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB1948695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4XC7-X2JR-CR74
Vulnerability from github – Published: 2022-02-24 00:00 – Updated: 2022-03-03 22:06Dolibarr allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accounting and more.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dolibarr/dolibarr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0731"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-03T22:06:43Z",
"nvd_published_at": "2022-02-23T19:15:00Z",
"severity": "MODERATE"
},
"details": "Dolibarr allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accounting and more.",
"id": "GHSA-4xc7-x2jr-cr74",
"modified": "2022-03-03T22:06:43Z",
"published": "2022-02-24T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0731"
},
{
"type": "WEB",
"url": "https://github.com/dolibarr/dolibarr/commit/209ab708d4b65fbd88ba4340d60b7822cb72651a"
},
{
"type": "PACKAGE",
"url": "https://github.com/dolibarr/dolibarr"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/e242ab4e-fc70-4b2c-a42d-5b3ee4895de8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Authorization in dolibarr/dolibarr"
}
GHSA-4XQ4-24CH-XR3Q
Vulnerability from github – Published: 2025-12-16 09:31 – Updated: 2026-01-20 15:32Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7.
{
"affected": [],
"aliases": [
"CVE-2025-67985"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T09:16:00Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through \u003c= 1.1.7.",
"id": "GHSA-4xq4-24ch-xr3q",
"modified": "2026-01-20T15:32:16Z",
"published": "2025-12-16T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67985"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-52CJ-Q87R-F28W
Vulnerability from github – Published: 2025-05-06 03:30 – Updated: 2025-05-06 03:30The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.
{
"affected": [],
"aliases": [
"CVE-2025-3610"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T03:15:17Z",
"severity": "HIGH"
},
"details": "The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user\u0027s passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account.",
"id": "GHSA-52cj-q87r-f28w",
"modified": "2025-05-06T03:30:24Z",
"published": "2025-05-06T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3610"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/reales-wp-real-estate-wordpress-theme/10330568"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38c6b149-39d7-491a-9f3a-261087a52a03?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52Q4-3XJC-6778
Vulnerability from github – Published: 2026-03-29 15:48 – Updated: 2026-04-18 00:48Summary
Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit 11ea1f67863d88b6cbcb229dd368a45e07094bff requires stable group IDs for access decisions.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit 11ea1f67863d88b6cbcb229dd368a45e07094bff.
Fix Commit(s)
11ea1f67863d88b6cbcb229dd368a45e07094bff
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35617"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-807",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:48:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\nGoogle Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGoogle Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit `11ea1f67863d88b6cbcb229dd368a45e07094bff` requires stable group IDs for access decisions.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `11ea1f67863d88b6cbcb229dd368a45e07094bff`.\n\n## Fix Commit(s)\n\n- `11ea1f67863d88b6cbcb229dd368a45e07094bff`",
"id": "GHSA-52q4-3xjc-6778",
"modified": "2026-04-18T00:48:38Z",
"published": "2026-03-29T15:48:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35617"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.