Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3226 vulnerabilities reference this CWE, most recent first.

GHSA-62XP-4PCV-PW3J

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat histories of other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:43Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users\u0027 chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat histories of other users.",
  "id": "GHSA-62xp-4pcv-pw3j",
  "modified": "2025-03-20T12:32:48Z",
  "published": "2025-03-20T12:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8613"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/76258774-b011-4044-9c3d-c2609b1cbd29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63G3-9JQ3-MCCV

Vulnerability from github – Published: 2024-05-14 22:17 – Updated: 2024-05-14 22:17
VLAI
Summary
Grafana API IDOR
Details

Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR.

Release v.8.3.5, only containing security fixes:

Release v.7.5.15, only containing security fixes:

Teams API IDOR(CVE-2022-21713)

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Impact

This vulnerability only impacts the following API endpoints:

  • /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
  • /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
  • /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

Affected versions with MEDIUM severity

All Grafana >=5.0.0-beta1 versions are affected by this vulnerability.

Solutions and mitigations

All installations after Grafana v5.0.0-beta1 should be upgraded as soon as possible.

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

  • 2022-01-18 05:000 Issue submitted by external researcher
  • 2022-01-21 17:45 Issue escalated and the vulnerability confirmed reproducible
  • 2022-01-24 13:37 CVE requested
  • 2022-01-24 14:40 Private release planned for 2022-01-25, and public release planned for 2022-02-01.
  • 2022-01-24 17:00 PR with fix opened
  • 2022-01-24 19:00 GitHub has issued CVE-2022-21713
  • 2022-01-25 12:00 Private release
  • 2022-02-01 12:00 During public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x
  • 2022-02-08 13:00 Public release

Acknowledgements

We would like to thank Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter) for responsibly disclosing the vulnerability.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-beta1"
            },
            {
              "fixed": "7.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T22:17:22Z",
    "nvd_published_at": "2022-02-08T21:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR.\n\nRelease v.8.3.5, only containing security fixes:\n\n- [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/)\n\nRelease v.7.5.15, only containing security fixes:\n\n- [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/)\n\n## Teams API IDOR([CVE-2022-21713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21713))\n\nOn Jan. 18, an external security researcher, K\u00fcr\u015fad ALSAN from [NSPECT.IO](https://www.nspect.io) ([@nspectio](https://twitter.com/nspectio) on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs.\n\nWe believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).  \n\n### Impact\n\nThis vulnerability only impacts the following API endpoints:\n\n- `/teams/:teamId` - an authenticated attacker can view unintended data by querying for the specific team ID.\n- `/teams/:search` - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.\n- `/teams/:teamId/members` - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.\n\n### Affected versions with MEDIUM severity \nAll Grafana \u003e=5.0.0-beta1 versions are affected by this vulnerability.\n\n### Solutions and mitigations\n\nAll installations after Grafana v5.0.0-beta1 should be upgraded as soon as possible.\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.\n\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC.\n\n- 2022-01-18 05:000 Issue submitted by external researcher\n- 2022-01-21 17:45 Issue escalated and the vulnerability confirmed reproducible\n- 2022-01-24 13:37 CVE requested\n- 2022-01-24 14:40 Private release planned for 2022-01-25, and public release planned for 2022-02-01.\n- 2022-01-24 17:00 PR with fix opened\n- 2022-01-24 19:00 GitHub has issued CVE-2022-21713 \n- 2022-01-25 12:00 Private release\n- 2022-02-01 12:00 During public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x\n- 2022-02-08 13:00 Public release\n\n### Acknowledgements\nWe would like to thank K\u00fcr\u015fad ALSAN from [NSPECT.IO](https://www.nspect.io) ([@nspectio](https://twitter.com/nspectio) on Twitter) for responsibly disclosing the vulnerability.\n\n### Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n### Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).\n",
  "id": "GHSA-63g3-9jq3-mccv",
  "modified": "2024-05-14T22:17:23Z",
  "published": "2024-05-14T22:17:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/pull/45083"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220303-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grafana API IDOR"
}

GHSA-63M9-Q6CC-99P4

Vulnerability from github – Published: 2024-02-12 18:31 – Updated: 2024-10-04 18:31
VLAI
Details

The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-12T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.",
  "id": "GHSA-63m9-q6cc-99p4",
  "modified": "2024-10-04T18:31:08Z",
  "published": "2024-02-12T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0421"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/587acc47-1966-4baf-a380-6aa479a97c82"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63Q7-72W2-QVVV

Vulnerability from github – Published: 2024-02-09 15:31 – Updated: 2026-05-20 09:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-09T13:15:41Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.",
  "id": "GHSA-63q7-72w2-qvvv",
  "modified": "2026-05-20T09:30:33Z",
  "published": "2024-02-09T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6724"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0099"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64Q9-48CG-F6VV

Vulnerability from github – Published: 2026-05-27 21:31 – Updated: 2026-05-27 21:31
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T19:16:24Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user\u0027s identity due to improper user identity resolution when triggering Duo AI workflow runners.",
  "id": "GHSA-64q9-48cg-f6vv",
  "modified": "2026-05-27T21:31:25Z",
  "published": "2026-05-27T21:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4868"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3619872"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/594809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64VW-M4RV-F6RJ

Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-05-27 12:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T11:16:20Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through \u003c= 2.14.16.",
  "id": "GHSA-64vw-m4rv-f6rj",
  "modified": "2026-05-27T12:31:22Z",
  "published": "2026-05-27T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42736"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/bp-better-messages/vulnerability/wordpress-bp-better-messages-plugin-2-14-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64WC-QRFG-GH7M

Vulnerability from github – Published: 2024-03-18 03:30 – Updated: 2024-03-18 03:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T02:15:06Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability.",
  "id": "GHSA-64wc-qrfg-gh7m",
  "modified": "2024-03-18T03:30:32Z",
  "published": "2024-03-18T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Employee%20Task%20Management%20System/IDOR%20-%20task-details.php.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.257078"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.257078"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6547-8HRG-C55M

Vulnerability from github – Published: 2026-03-19 17:25 – Updated: 2026-03-25 18:48
VLAI
Summary
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
Details

Summary

The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.

Details

The endpoint correctly restricts access to administrators only, but the password value submitted via the ProfilePassword request parameter is processed with intval() before being passed to User::setProfilePassword(). The relevant code is:

$obj->ProfilePassword = intval(@$_REQUEST['ProfilePassword']);
$obj->users_id = $users_id;
$obj->response = User::setProfilePassword($users_id, $obj->ProfilePassword);

The call to intval() on an alphanumeric string such as secretabc123 returns 0. This silently discards the intended password value and stores 0 as the channel password instead. Because the coercion is silent, the administrator receives no error or warning and has no indication that the password they set was not stored correctly. Any visitor to the channel who enters 0 as the password will be granted access, completely defeating the channel password protection feature.

This is not a case where a malicious admin deliberately sets a weak password. The vulnerability causes well-intentioned admins to unknowingly install a trivially guessable password on any channel for which they attempt to configure a non-numeric password.

PoC

curl -s -X POST "https://target.example.com/plugin/CustomizeUser/setPassword.json.php" \
  -b "PHPSESSID=<admin_session_cookie>" \
  -d "users_id=42&ProfilePassword=secretPassword123"
curl -s -X POST "https://target.example.com/channel_password_check_endpoint" \
  -d "users_id=42&password=0"
import requests

base_url = "https://target.example.com"
session = requests.Session()

session.post(f"{base_url}/login", data={"user": "admin", "pass": "adminpass"})

session.post(
    f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
    data={"users_id": "42", "ProfilePassword": "mySuperSecretPassword"}
)

resp = session.post(
    f"{base_url}/plugin/CustomizeUser/setPassword.json.php",
    data={"users_id": "42", "ProfilePassword": "0"}
)

print(resp.text)

Impact

Any administrator who sets a channel password using a non-numeric string unknowingly reduces that password to 0. Any unauthenticated or unprivileged user who simply enters 0 as the channel password can access the content that was intended to be protected. This breaks the confidentiality guarantees of the channel password protection feature across all channels managed by administrators who use alphanumeric passwords. The impact is scoped to channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature entirely ineffective for the common case of non-numeric passwords.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:25:34Z",
    "nvd_published_at": "2026-03-23T14:16:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control.\n\n### Details\n\nThe endpoint correctly restricts access to administrators only, but the password value submitted via the ProfilePassword request parameter is processed with `intval()` before being passed to `User::setProfilePassword()`. The relevant code is:\n\n```php\n$obj-\u003eProfilePassword = intval(@$_REQUEST[\u0027ProfilePassword\u0027]);\n$obj-\u003eusers_id = $users_id;\n$obj-\u003eresponse = User::setProfilePassword($users_id, $obj-\u003eProfilePassword);\n```\n\nThe call to `intval()` on an alphanumeric string such as secretabc123 returns 0. This silently discards the intended password value and stores 0 as the channel password instead. Because the coercion is silent, the administrator receives no error or warning and has no indication that the password they set was not stored correctly. Any visitor to the channel who enters 0 as the password will be granted access, completely defeating the channel password protection feature.\n\nThis is not a case where a malicious admin deliberately sets a weak password. The vulnerability causes well-intentioned admins to unknowingly install a trivially guessable password on any channel for which they attempt to configure a non-numeric password.\n\n### PoC\n\n```bash\ncurl -s -X POST \"https://target.example.com/plugin/CustomizeUser/setPassword.json.php\" \\\n  -b \"PHPSESSID=\u003cadmin_session_cookie\u003e\" \\\n  -d \"users_id=42\u0026ProfilePassword=secretPassword123\"\n```\n\n```bash\ncurl -s -X POST \"https://target.example.com/channel_password_check_endpoint\" \\\n  -d \"users_id=42\u0026password=0\"\n```\n\n```python\nimport requests\n\nbase_url = \"https://target.example.com\"\nsession = requests.Session()\n\nsession.post(f\"{base_url}/login\", data={\"user\": \"admin\", \"pass\": \"adminpass\"})\n\nsession.post(\n    f\"{base_url}/plugin/CustomizeUser/setPassword.json.php\",\n    data={\"users_id\": \"42\", \"ProfilePassword\": \"mySuperSecretPassword\"}\n)\n\nresp = session.post(\n    f\"{base_url}/plugin/CustomizeUser/setPassword.json.php\",\n    data={\"users_id\": \"42\", \"ProfilePassword\": \"0\"}\n)\n\nprint(resp.text)\n```\n\n### Impact\n\nAny administrator who sets a channel password using a non-numeric string unknowingly reduces that password to 0. Any unauthenticated or unprivileged user who simply enters 0 as the channel password can access the content that was intended to be protected. This breaks the confidentiality guarantees of the channel password protection feature across all channels managed by administrators who use alphanumeric passwords. The impact is scoped to channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature entirely ineffective for the common case of non-numeric passwords.",
  "id": "GHSA-6547-8hrg-c55m",
  "modified": "2026-03-25T18:48:44Z",
  "published": "2026-03-19T17:25:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/7a6a94631a0a18c313894395e6eb6703cca4abd0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo: IDOR - Any Admin Can Set Another User\u0027s Channel Password via setPassword.json.php"
}

GHSA-656W-6F6C-M9R6

Vulnerability from github – Published: 2026-03-09 17:29 – Updated: 2026-03-10 18:44
VLAI
Summary
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Details

Summary

OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding.

Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project.

Details

The callback decodes unsigned base64 JSON from state and uses the embedded projectId directly:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112

It then writes the supplied installation_id into the target project with root privileges:

await ProjectService.updateOneById({
  id: new ObjectID(projectId),
  data: { gitHubAppInstallationId: installationId },
  props: { isRoot: true },
});

The userId in state is only checked for presence, not authenticity:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79

The install flow also generates state as plain base64 JSON, not a signed or session-bound token:

  • https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165

The follow-on endpoints are also vulnerable:

  • Repository listing: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258
  • Repository connect: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356
  • Middleware allows requests with no token to continue as Public: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211
  • Installation tokens are minted from any valid installation ID: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425

PoC

Minimal proof of unauthorized project tampering:

STATE=$(printf '%s' '{"projectId":"<victim-project-uuid>","userId":"x"}' | base64 | tr -d '\n')
curl -isk "https://<host>/api/github/auth/callback?installation_id=999999999&state=${STATE}"

Expected result:

  • Server returns a 302 redirect to /dashboard/<victim-project-uuid>/code-repository?installation_id=999999999
  • The target project's gitHubAppInstallationId is overwritten

Impact

  • Unauthorized modification of Project.gitHubAppInstallationId
  • Temporary GitHub integration breakage if a bogus installation ID is set
  • Cross-project binding of attacker-controlled GitHub App installations
  • Repository metadata disclosure for a supplied valid installation ID
  • Unauthorized creation of CodeRepository records in arbitrary projects
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T17:29:47Z",
    "nvd_published_at": "2026-03-10T17:40:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nOneUptime\u0027s GitHub App callback trusts attacker-controlled `state` and `installation_id` values and updates `Project.gitHubAppInstallationId` with `isRoot: true` without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project\u0027s GitHub App installation binding.\n\nRelated GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create `CodeRepository` records in an arbitrary project.\n\n### Details\n\nThe callback decodes unsigned base64 JSON from `state` and uses the embedded `projectId` directly:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112\n\nIt then writes the supplied `installation_id` into the target project with root privileges:\n\n```ts\nawait ProjectService.updateOneById({\n  id: new ObjectID(projectId),\n  data: { gitHubAppInstallationId: installationId },\n  props: { isRoot: true },\n});\n```\n\nThe `userId` in `state` is only checked for presence, not authenticity:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79\n\nThe install flow also generates `state` as plain base64 JSON, not a signed or session-bound token:\n\n- https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165\n\nThe follow-on endpoints are also vulnerable:\n\n- Repository listing: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258\n- Repository connect: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356\n- Middleware allows requests with no token to continue as `Public`: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211\n- Installation tokens are minted from any valid installation ID: https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425\n\n### PoC\n\nMinimal proof of unauthorized project tampering:\n\n```bash\nSTATE=$(printf \u0027%s\u0027 \u0027{\"projectId\":\"\u003cvictim-project-uuid\u003e\",\"userId\":\"x\"}\u0027 | base64 | tr -d \u0027\\n\u0027)\ncurl -isk \"https://\u003chost\u003e/api/github/auth/callback?installation_id=999999999\u0026state=${STATE}\"\n```\n\nExpected result:\n\n- Server returns a `302` redirect to `/dashboard/\u003cvictim-project-uuid\u003e/code-repository?installation_id=999999999`\n- The target project\u0027s `gitHubAppInstallationId` is overwritten\n\n### Impact\n\n- Unauthorized modification of `Project.gitHubAppInstallationId`\n- Temporary GitHub integration breakage if a bogus installation ID is set\n- Cross-project binding of attacker-controlled GitHub App installations\n- Repository metadata disclosure for a supplied valid installation ID\n- Unauthorized creation of `CodeRepository` records in arbitrary projects",
  "id": "GHSA-656w-6f6c-m9r6",
  "modified": "2026-03-10T18:44:14Z",
  "published": "2026-03-09T17:29:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-656w-6f6c-m9r6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L127-L165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L179-L258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L260-L356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L34-L112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/API/GitHubAPI.ts#L73-L79"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Middleware/UserAuthorization.ts#L205-L211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/blob/master/Common/Server/Utils/CodeRepository/GitHub/GitHub.ts#L347-L425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding"
}

GHSA-6593-25JW-QMHP

Vulnerability from github – Published: 2023-04-16 09:30 – Updated: 2024-04-04 03:30
VLAI
Details

The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process. Successful exploitation of this vulnerability may affect confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-16T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process. Successful exploitation of this vulnerability may affect confidentiality.",
  "id": "GHSA-6593-25jw-qmhp",
  "modified": "2024-04-04T03:30:09Z",
  "published": "2023-04-16T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48313"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/4"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202304-0000001506528486"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.