CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3214 vulnerabilities reference this CWE, most recent first.
GHSA-544V-V79M-JM2G
Vulnerability from github – Published: 2025-12-20 15:32 – Updated: 2025-12-20 15:32The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
{
"affected": [],
"aliases": [
"CVE-2025-7733"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-20T14:16:03Z",
"severity": "MODERATE"
},
"details": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the \u0027cs_update_application_status_callback\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.",
"id": "GHSA-544v-v79m-jm2g",
"modified": "2025-12-20T15:32:01Z",
"published": "2025-12-20T15:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7733"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/409bcd8c-6cd3-4022-a67f-57e901c83d66?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-54GP-QFF8-946C
Vulnerability from github – Published: 2021-08-30 16:14 – Updated: 2021-08-26 19:36Impact
Insecure direct object reference of log files of the Import/Export feature
Patches
We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.3.0"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.3.0"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-37709"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T19:36:36Z",
"nvd_published_at": "2021-08-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nInsecure direct object reference of log files of the Import/Export feature\n\n### Patches\nWe recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659",
"id": "GHSA-54gp-qff8-946c",
"modified": "2021-08-26T19:36:36Z",
"published": "2021-08-30T16:14:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37709"
},
{
"type": "WEB",
"url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure direct object reference of log files of the Import/Export feature"
}
GHSA-54M3-95J9-V89J
Vulnerability from github – Published: 2024-09-17 17:55 – Updated: 2024-11-18 16:27Impact
An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID.
Patches
A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.
Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sentry"
},
"ranges": [
{
"events": [
{
"introduced": "23.9.0"
},
{
"fixed": "24.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45605"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T17:55:29Z",
"nvd_published_at": "2024-09-17T20:15:05Z",
"severity": "HIGH"
},
"details": "### Impact\nAn authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID. \n\n### Patches\nA patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.\n\nSentry SaaS users do not need to take any action. [Self-Hosted Sentry](https://github.com/getsentry/self-hosted) users should upgrade to version **24.9.0** or higher.\n\n### References\n- [Prevent muting user alerts](https://github.com/getsentry/sentry/pull/77093/)\n",
"id": "GHSA-54m3-95j9-v89j",
"modified": "2024-11-18T16:27:13Z",
"published": "2024-09-17T17:55:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45605"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/77093"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/commit/590258255bcb3a5fa4c56f21297b6c99131cfb9d"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/self-hosted"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sentry improperly authorizes deletion of user issue alert notifications"
}
GHSA-556H-CXM4-3558
Vulnerability from github – Published: 2025-11-25 09:31 – Updated: 2026-04-08 21:33The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.
{
"affected": [],
"aliases": [
"CVE-2025-13382"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-25T08:15:50Z",
"severity": "MODERATE"
},
"details": "The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the \u0027/wpfm/v1/file-rename\u0027 REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the \u0027fileid\u0027 parameter.",
"id": "GHSA-556h-cxm4-3558",
"modified": "2026-04-08T21:33:08Z",
"published": "2025-11-25T09:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13382"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L20"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L52"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/classes/class.rest.php#L20"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-55GC-6FMC-FPX9
Vulnerability from github – Published: 2026-05-06 21:59 – Updated: 2026-05-14 20:53Summary
A missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG.
This issue has been patched in v0.83.39. Hatchet Cloud has been patched and requires no action from users. Self-hosted users should upgrade.
Impact
Who is affected. Multi-tenant Hatchet instances reachable by an attacker who can obtain an account on that instance. On Hatchet Cloud, account creation is open by default. On self-hosted instances, the API must be reachable by the attacker and the hostname known; instances deployed inside a VPC or with signup restricted are not exposed to arbitrary external actors.
Prerequisites for exploitation. An attacker needed:
- An account on the target Hatchet instance.
- The victim tenant's UUID.
- At least one DAG UUID (
external_id) belonging to that tenant.
The two UUIDs are not treated as secrets — they appear in URLs, API responses, audit logs, invitation flows, shared run links, and dashboard screenshots — but an attacker does need to learn them through some out-of-band channel before exploitation is possible.
What could be disclosed. For each child task of a targeted DAG, the endpoint returned:
display_name,action_id,step_idworkflow_id,workflow_version_id,workflow_run_id,task_external_idtenant_id,retry_count,status, timestampsadditional_metadata(JSON)
The additional_metadata field is the most sensitive: Hatchet workflows commonly use it to carry domain context such as user identifiers, customer IDs, feature flags, or correlation tokens. Its contents vary by deployment.
What was not disclosed. The raw task input payload is not part of this endpoint's response shape and was not exposed through this issue. The scope is limited to task metadata, not task arguments or results.
Exploitation status. We have no evidence that this vulnerability was exploited prior to the patch.
Root cause
Hatchet's multi-tenant authorization relies on an OpenAPI-driven middleware pipeline. Each authenticated operation declares x-resources: ["tenant", ...] in its spec. The populator middleware reads the declared resources, looks up the corresponding entities from request parameters, and stores them on the request context. The authz middleware then verifies that the authenticated user is a member of the tenant found on the context.
The listTasksByDAGIds operation accepted a tenant UUID as a query parameter, but its OpenAPI definition did not declare x-resources: ["tenant"]. As a result:
- The populator, which early-returns when no resources are declared, did not populate the tenant onto the request context.
- The authz middleware, which runs its membership check only when a tenant is present on the context, silently passed the request through.
- The handler read the tenant UUID directly from the query parameter and used it as the filter in the downstream OLAP query.
The SQL query itself correctly filters by tenant_id, so it returned only rows matching the supplied UUID — but the UUID came from the caller rather than from an authorization-validated context, so the filter bounded the response to the attacker-named tenant rather than to a tenant the caller was authorized to read.
Every other authenticated operation in the same path file (tasks.yaml) correctly declared x-resources. This endpoint was the only authenticated operation in the file that did not.
Patch
The fix adds the missing resource authz checks inline on the handler, enforcing valid tenant membership before the handler runs.
Shipped in v0.83.39.
Remediation
Hatchet Cloud. No action required. The patch was deployed on April 23, 2026 within the same day it was reported.
Self-hosted — recommended. Upgrade to v0.83.39 or later.
Self-hosted — if you cannot upgrade immediately. Either of the following reduces exposure until you can upgrade:
- Restrict account creation by setting
SERVER_AUTH_RESTRICTED_EMAIL_DOMAINSto an allowlist of domains you control. This prevents arbitrary users from registering an account on your instance, which removes the most common path to the prerequisite account. - Ensure the Hatchet API is not exposed to untrusted networks. We generally recommend running Hatchet inside a VPC and fronting the API with authenticated network controls; deployments configured this way were not reachable by arbitrary external attackers.
Timeline
All times April 23, 2026.
- 14:05 — Reported to Hatchet.
- 16:28 — Patch deployed to Hatchet Cloud and released as v0.83.39.
- Public disclosure — this advisory.
Credit
Reported by @sajdakabir.
Hatchet thanks the reporter for responsibly disclosing this issue and for the clear, reproducible writeup.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.83.38"
},
"package": {
"ecosystem": "Go",
"name": "github.com/hatchet-dev/hatchet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.83.39"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42572"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T21:59:05Z",
"nvd_published_at": "2026-05-14T18:16:47Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA missing authorization directive on the `GET /api/v1/stable/dags/tasks` endpoint caused Hatchet\u0027s tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant\u0027s UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG.\n\nThis issue has been patched in **v0.83.39**. Hatchet Cloud has been patched and requires no action from users. Self-hosted users should upgrade.\n\n## Impact\n\n**Who is affected.** Multi-tenant Hatchet instances reachable by an attacker who can obtain an account on that instance. On Hatchet Cloud, account creation is open by default. On self-hosted instances, the API must be reachable by the attacker and the hostname known; instances deployed inside a VPC or with signup restricted are not exposed to arbitrary external actors.\n\n**Prerequisites for exploitation.** An attacker needed:\n\n1. An account on the target Hatchet instance.\n2. The victim tenant\u0027s UUID.\n3. At least one DAG UUID (`external_id`) belonging to that tenant.\n\nThe two UUIDs are not treated as secrets \u2014 they appear in URLs, API responses, audit logs, invitation flows, shared run links, and dashboard screenshots \u2014 but an attacker does need to learn them through some out-of-band channel before exploitation is possible.\n\n**What could be disclosed.** For each child task of a targeted DAG, the endpoint returned:\n\n- `display_name`, `action_id`, `step_id`\n- `workflow_id`, `workflow_version_id`, `workflow_run_id`, `task_external_id`\n- `tenant_id`, `retry_count`, `status`, timestamps\n- `additional_metadata` (JSON)\n\nThe `additional_metadata` field is the most sensitive: Hatchet workflows commonly use it to carry domain context such as user identifiers, customer IDs, feature flags, or correlation tokens. Its contents vary by deployment.\n\n**What was not disclosed.** The raw task `input` payload is not part of this endpoint\u0027s response shape and was not exposed through this issue. The scope is limited to task metadata, not task arguments or results.\n\n**Exploitation status.** We have no evidence that this vulnerability was exploited prior to the patch.\n\n## Root cause\n\nHatchet\u0027s multi-tenant authorization relies on an OpenAPI-driven middleware pipeline. Each authenticated operation declares `x-resources: [\"tenant\", ...]` in its spec. The `populator` middleware reads the declared resources, looks up the corresponding entities from request parameters, and stores them on the request context. The `authz` middleware then verifies that the authenticated user is a member of the tenant found on the context.\n\nThe `listTasksByDAGIds` operation accepted a `tenant` UUID as a query parameter, but its OpenAPI definition did not declare `x-resources: [\"tenant\"]`. As a result:\n\n1. The populator, which early-returns when no resources are declared, did not populate the tenant onto the request context.\n2. The authz middleware, which runs its membership check only when a tenant is present on the context, silently passed the request through.\n3. The handler read the tenant UUID directly from the query parameter and used it as the filter in the downstream OLAP query.\n\nThe SQL query itself correctly filters by `tenant_id`, so it returned only rows matching the supplied UUID \u2014 but the UUID came from the caller rather than from an authorization-validated context, so the filter bounded the response to the *attacker-named* tenant rather than to a tenant the caller was authorized to read.\n\nEvery other authenticated operation in the same path file (`tasks.yaml`) correctly declared `x-resources`. This endpoint was the only authenticated operation in the file that did not.\n\n## Patch\n\nThe fix adds the missing resource authz checks inline on the handler, enforcing valid tenant membership before the handler runs.\n\nShipped in **v0.83.39**.\n\n## Remediation\n\n**Hatchet Cloud.** No action required. The patch was deployed on April 23, 2026 within the same day it was reported.\n\n**Self-hosted \u2014 recommended.** Upgrade to **v0.83.39** or later.\n\n**Self-hosted \u2014 if you cannot upgrade immediately.** Either of the following reduces exposure until you can upgrade:\n\n- Restrict account creation by setting `SERVER_AUTH_RESTRICTED_EMAIL_DOMAINS` to an allowlist of domains you control. This prevents arbitrary users from registering an account on your instance, which removes the most common path to the prerequisite account.\n- Ensure the Hatchet API is not exposed to untrusted networks. We generally recommend running Hatchet inside a VPC and fronting the API with authenticated network controls; deployments configured this way were not reachable by arbitrary external attackers.\n\n## Timeline\n\nAll times April 23, 2026.\n\n- **14:05** \u2014 Reported to Hatchet.\n- **16:28** \u2014 Patch deployed to Hatchet Cloud and released as v0.83.39.\n- Public disclosure \u2014 this advisory.\n\n## Credit\n\nReported by @sajdakabir.\n\nHatchet thanks the reporter for responsibly disclosing this issue and for the clear, reproducible writeup.",
"id": "GHSA-55gc-6fmc-fpx9",
"modified": "2026-05-14T20:53:43Z",
"published": "2026-05-06T21:59:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hatchet-dev/hatchet/security/advisories/GHSA-55gc-6fmc-fpx9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42572"
},
{
"type": "PACKAGE",
"url": "https://github.com/hatchet-dev/hatchet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`"
}
GHSA-55R9-5MX9-QQ7R
Vulnerability from github – Published: 2024-07-09 21:04 – Updated: 2024-07-10 18:34Summary
Cache driver GetBlob() allows read access to any blob without access control check
Details
If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the accessControl policy denies.
This attack is possible because ImageStore.CheckBlob() calls checkCacheBlob() to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with copyBlob().
This cache behavior is intentionally used in RouteHandler.CreateBlobUpload() to implement cross repository blob mount (POST /v2/<name>/blobs/uploads/?mount=<digest>&from=<repository name>) in Zot. This is still missing an access control to check read access on the source repository.
This cache behavior is unexpectedly also used in RouteHandler.CheckBlob() too for HEAD /v2/<name>/blobs/<digest>. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the ImageStore for the requested repository.
RouteHandler.GetBlob() does not call ImageStore.CheckBlob() so it is not directly vulnerable. However an attacker with only limited read access may first call CheckBlob() to fetch the blob from the cache, then call GetBlob() to read the blob.
Mitigation
The attack may be mitigated by configuring "dedupe": false in the "storage" settings. This disables Zot's cache drivers. dedupe is enabled by default using the BoltDB cache driver.
Impact
An attacker can read images that the accessControl policy denies if they have read access to any other second repository.
This attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed.
This attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "zotregistry.io/zot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "zotregistry.dev/zot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39897"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-09T21:04:00Z",
"nvd_published_at": "2024-07-09T19:15:12Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nCache driver `GetBlob()` allows read access to any blob without access control check\n\n### Details\n\nIf a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is enabled (it is enabled by default), then an attacker who knows the name of an image and the digest of a blob (that they do not have read access to), they may maliciously read it via a second repository they do have read access to. This allows an attacker to read an image that the `accessControl` policy denies.\n\nThis attack is possible because [`ImageStore.CheckBlob()` calls `checkCacheBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/storage/imagestore/imagestore.go#L1158-L1159) to find the blob a global cache by searching for the digest. If it is found, it is copied to the user requested repository with `copyBlob()`.\n\nThis cache behavior is intentionally used in [`RouteHandler.CreateBlobUpload()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1194-L1197) to implement cross repository blob mount (`POST /v2/\u003cname\u003e/blobs/uploads/?mount=\u003cdigest\u003e\u0026from=\u003crepository name\u003e`) in Zot. This is still missing an access control to check read access on the source repository.\n\nThis cache behavior is unexpectedly also used in [`RouteHandler.CheckBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L886) too for `HEAD /v2/\u003cname\u003e/blobs/\u003cdigest\u003e`. If a blob is requested that does not exist on the requested repository, Zot will search for it in a global cache (possibly returning a result from an from an incorrect repository) and then will store it into the `ImageStore` for the requested repository.\n\n[`RouteHandler.GetBlob()`](https://github.com/project-zot/zot/blob/v2.1.0-rc2/pkg/api/routes.go#L1000) does _not_ call `ImageStore.CheckBlob()` so it is not directly vulnerable. However an attacker with only limited read access may first call `CheckBlob()` to fetch the blob from the cache, then call `GetBlob()` to read the blob.\n\n### Mitigation\n\nThe attack may be mitigated by configuring `\"dedupe\": false` in the `\"storage\"` settings. This disables Zot\u0027s cache drivers. `dedupe` is enabled by default using the BoltDB cache driver.\n\n### Impact\n\nAn attacker can read images that the `accessControl` policy denies if they have read access to any other second repository.\n\nThis attack only allows accessing blobs (both config and layers) by digest. Manifests cannot be accessed.\n\nThis attack requires the attacker to know the name of a private image and its layer digests. A scenario where this might happen is if a project has public CI build logs but publishes the image to a private repository. Many image build tools log layer digests.\n",
"id": "GHSA-55r9-5mx9-qq7r",
"modified": "2024-07-10T18:34:34Z",
"published": "2024-07-09T21:04:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/project-zot/zot/security/advisories/GHSA-55r9-5mx9-qq7r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39897"
},
{
"type": "WEB",
"url": "https://github.com/project-zot/zot/commit/aaee0220e46bdadd12115ac67c19f9d3153eb1df"
},
{
"type": "PACKAGE",
"url": "https://github.com/project-zot/zot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cache driver GetBlob() allows read access to any blob without access control check"
}
GHSA-55RF-8Q29-4G43
Vulnerability from github – Published: 2024-07-17 14:32 – Updated: 2026-03-09 15:54Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above.
The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version.
Copy the original configuration from vendor:
# create directory if it doesn't exist
mkdir -p config/api_platform
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
<!-- config/api_platform/Adjustment.xml -->
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
Update your API platform paths config if needed so the new configuration file is loaded:
# config/packages/api_platform.yaml
api_platform:
mapping:
paths:
- '%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources'
...
- '%kernel.project_dir%/config/api_platform'
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0-alpha.1"
},
{
"fixed": "1.12.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0-alpha.1"
},
{
"fixed": "1.13.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0-alpha.1"
},
{
"fixed": "1.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.16"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0-alpha.1"
},
{
"fixed": "1.11.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40633"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T14:32:18Z",
"nvd_published_at": "2024-07-17T18:15:04Z",
"severity": "HIGH"
},
"details": "### Impact\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.\n\n### Patches\nThe issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above.\nThe `/api/v2/shop/adjustments/{id}` will always return `404` status.\n\n### Workarounds\n\nUsing YAML configuration:\n\nCreate `config/api_platform/Adjustment.yaml` file:\n\n```yaml\n# config/api_platform/Adjustment.yaml\n\n\u0027%sylius.model.adjustment.class%\u0027:\n itemOperations:\n shop_get:\n controller: ApiPlatform\\Core\\Action\\NotFoundAction\n read: false\n output: false\n```\n\nOr using XML configuration:\n\n\u003e Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version.\n\nCopy the original configuration from vendor:\n\n```bash\n# create directory if it doesn\u0027t exist\nmkdir -p config/api_platform\n\ncp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform\n```\n\nAnd change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file:\n\n```xml\n\u003c!-- config/api_platform/Adjustment.xml --\u003e\n\n...\n\u003citemOperation name=\"shop_get\"\u003e\n \u003cattribute name=\"method\"\u003eGET\u003c/attribute\u003e\n \u003cattribute name=\"path\"\u003e/shop/adjustments/{id}\u003c/attribute\u003e\n \u003cattribute name=\"controller\"\u003eApiPlatform\\Core\\Action\\NotFoundAction\u003c/attribute\u003e\n \u003cattribute name=\"read\"\u003efalse\u003c/attribute\u003e\n \u003cattribute name=\"output\"\u003efalse\u003c/attribute\u003e\n\u003c/itemOperation\u003e\n...\n```\n\nUpdate your API platform paths config if needed so the new configuration file is loaded:\n\n```yaml\n# config/packages/api_platform.yaml\napi_platform:\n mapping:\n paths:\n - \u0027%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources\u0027\n ...\n - \u0027%kernel.project_dir%/config/api_platform\u0027\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-55rf-8q29-4g43",
"modified": "2026-03-09T15:54:21Z",
"published": "2024-07-17T14:32:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40633"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sylius has a security vulnerability via adjustments API endpoint"
}
GHSA-55RX-5HX2-V6H7
Vulnerability from github – Published: 2025-11-21 09:30 – Updated: 2025-11-21 09:30The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages.
{
"affected": [],
"aliases": [
"CVE-2025-12881"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-21T08:15:54Z",
"severity": "MODERATE"
},
"details": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user\u0027s order messages.",
"id": "GHSA-55rx-5hx2-v6h7",
"modified": "2025-11-21T09:30:27Z",
"published": "2025-11-21T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12881"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3394215%40woo-refund-and-exchange-lite\u0026new=3394215%40woo-refund-and-exchange-lite\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-563F-R8FH-RRGC
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2026-04-08 21:32The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
{
"affected": [],
"aliases": [
"CVE-2024-8485"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T03:15:05Z",
"severity": "CRITICAL"
},
"details": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators.",
"id": "GHSA-563f-r8fh-rrgc",
"modified": "2026-04-08T21:32:53Z",
"published": "2024-09-25T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8485"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5649-2VJ2-7475
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Sayful Islam Upcoming Events Lists allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Upcoming Events Lists: from n/a through 1.4.0.
{
"affected": [],
"aliases": [
"CVE-2025-57994"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:00Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Sayful Islam Upcoming Events Lists allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Upcoming Events Lists: from n/a through 1.4.0.",
"id": "GHSA-5649-2vj2-7475",
"modified": "2026-04-01T18:36:12Z",
"published": "2025-09-22T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57994"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/upcoming-events-lists/vulnerability/wordpress-upcoming-events-lists-plugin-1-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.