Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3214 vulnerabilities reference this CWE, most recent first.

GHSA-5PWX-2RRR-XCVM

Vulnerability from github – Published: 2024-01-11 09:30 – Updated: 2026-04-08 21:32
VLAI
Details

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The WP 2FA \u2013 Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.",
  "id": "GHSA-5pwx-2rrr-xcvm",
  "modified": "2026-04-08T21:32:09Z",
  "published": "2024-01-11T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6506"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3009922%40wp-2fa\u0026new=3009922%40wp-2fa\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q4Q-834J-G8G4

Vulnerability from github – Published: 2026-06-30 16:44 – Updated: 2026-06-30 16:44
VLAI
Summary
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
Details

Summary

The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.

Technical Details

The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).

When processing this input: 1. Validation rules are dynamically generated only for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely. 2. The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:

   foreach ($item->checkout_config as $key => $value) {
       $service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
   }
  1. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.

Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.

Impact

This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.

Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "paymenter/paymenter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T16:44:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.\n\n### Technical Details\nThe `Checkout` Livewire component (`app/Livewire/Products/Checkout.php`) exposes the `$checkoutConfig` property to URL query parameters via the `#[Url]` attribute (aliased as `config`). \n\nWhen processing this input:\n1. Validation rules are dynamically generated *only* for keys explicitly defined by an extension\u0027s `getCheckoutConfig()` method. Any undefined keys injected into the query parameter bypass validation entirely.\n2. The cart component (`app/Livewire/Cart.php`) stores all keys from `checkout_config` directly into the database without sanitation:\n```php\n   foreach ($item-\u003echeckout_config as $key =\u003e $value) {\n       $service-\u003eproperties()-\u003eupdateOrCreate([\u0027key\u0027 =\u003e $key], [\u0027value\u0027 =\u003e $value]);\n   }\n```\n3. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension\u0027s createServer() method.\n\nBecause of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.\n\n### Impact\nThis is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.\n\nDepending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.",
  "id": "GHSA-5q4q-834j-g8g4",
  "modified": "2026-06-30T16:44:31Z",
  "published": "2026-06-30T16:44:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5q4q-834j-g8g4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Paymenter/Paymenter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Paymenter has URL parameter injection that bypasses paid plan limits at checkout"
}

GHSA-5Q68-9MM8-Q9VM

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-05 00:00
VLAI
Details

The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1600"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\u0027s IP from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.",
  "id": "GHSA-5q68-9mm8-q9vm",
  "modified": "2022-08-05T00:00:26Z",
  "published": "2022-08-02T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1600"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/2b7445fd-0992-47cd-9a48-f5f18d8171f7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QPV-3MXM-5V8R

Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32
VLAI
Details

Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T15:16:52Z",
    "severity": "MODERATE"
  },
  "details": "Subscriber Insecure Direct Object References (IDOR) in Majestic Support \u003c= 1.1.7 versions.",
  "id": "GHSA-5qpv-3mxm-5v8r",
  "modified": "2026-06-26T15:32:18Z",
  "published": "2026-06-26T15:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57646"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/majestic-support/vulnerability/wordpress-majestic-support-plugin-1-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QV2-JC6Q-28VV

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-11T01:32:00Z",
    "severity": "MODERATE"
  },
  "details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.",
  "id": "GHSA-5qv2-jc6q-28vv",
  "modified": "2022-05-13T01:43:39Z",
  "published": "2022-05-13T01:43:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
    },
    {
      "type": "WEB",
      "url": "https://kanboard.net/news/version-1.0.47"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/04/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R42-GRWV-4WQJ

Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:36
VLAI
Details

An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T01:15:38Z",
    "severity": "HIGH"
  },
  "details": "An issue discovered in SeedDMS 6.0.15 allows an attacker to escalate privileges via the userid and role parameters in the out.UsrMgr.php file.",
  "id": "GHSA-5r42-grwv-4wqj",
  "modified": "2024-04-04T04:36:44Z",
  "published": "2023-06-07T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33223"
    },
    {
      "type": "WEB",
      "url": "https://sunil-singh.notion.site/SeedDMS-6-0-15-Insecure-Direct-Object-Reference-IDOR-ff504354656b47b2b0cee0b7a82ad08c"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/SeedDMS-6-0-15-Incorrect-Access-Control-ff504354656b47b2b0cee0b7a82ad08c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R94-PF8R-75V2

Vulnerability from github – Published: 2025-11-19 06:31 – Updated: 2025-11-19 06:31
VLAI
Details

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-19T04:16:04Z",
    "severity": "MODERATE"
  },
  "details": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user\u0027s wishlist token ID, and subsequently rename the victim\u0027s wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.",
  "id": "GHSA-5r94-pf8r-75v2",
  "modified": "2025-11-19T06:31:10Z",
  "published": "2025-11-19T06:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12427"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394933%40yith-woocommerce-wishlist%2Ftrunk\u0026old=3379519%40yith-woocommerce-wishlist%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file0"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RFQ-95QV-RXWP

Vulnerability from github – Published: 2024-01-02 21:30 – Updated: 2024-01-08 21:30
VLAI
Details

An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-02T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.",
  "id": "GHSA-5rfq-95qv-rxwp",
  "modified": "2024-01-08T21:30:32Z",
  "published": "2024-01-02T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45893"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oracle-Security/CVEs/blob/main/FloorsightSoftware/CVE-2023-45893.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RJG-2J76-X2R5

Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30
VLAI
Details

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the upload_avatar() function, which accepts an attacker-controlled user_id parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target user_id in the request body to the /wp-json/app-builder/v1/upload-avatar endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T04:16:23Z",
    "severity": "MODERATE"
  },
  "details": "The App Builder \u2013 Create Native Android \u0026 iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference  in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.",
  "id": "GHSA-5rjg-2j76-x2r5",
  "modified": "2026-05-02T06:30:23Z",
  "published": "2026-05-02T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7638"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RPX-89MQ-44F9

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to read information that should only be accessible by a different user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-29T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to read information that should only be accessible by a different user.",
  "id": "GHSA-5rpx-89mq-44f9",
  "modified": "2022-05-13T01:23:07Z",
  "published": "2022-05-13T01:23:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9921"
    },
    {
      "type": "WEB",
      "url": "https://extensions.joomla.org/extension/je-messenger"
    },
    {
      "type": "WEB",
      "url": "https://github.com/azd-cert/CVE/blob/master/CVEs/CVE-2019-9921.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.