CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3238 vulnerabilities reference this CWE, most recent first.
GHSA-7RRH-2Q62-PPVC
Vulnerability from github – Published: 2024-06-04 06:30 – Updated: 2026-04-08 18:33The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.
{
"affected": [],
"aliases": [
"CVE-2024-4274"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T06:15:11Z",
"severity": "MODERATE"
},
"details": "The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.",
"id": "GHSA-7rrh-2q62-ppvc",
"modified": "2026-04-08T18:33:18Z",
"published": "2024-06-04T06:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4274"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/essential-real-estate/trunk/public/partials/property/class-ere-property.php#L28"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3106467%40essential-real-estate\u0026new=3106467%40essential-real-estate\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3110238%40essential-real-estate\u0026new=3110238%40essential-real-estate\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc41eb7-5c9a-4a67-902d-9a855840668b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7RXJ-PGV6-6F7V
Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.
{
"affected": [],
"aliases": [
"CVE-2023-2173"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T06:15:08Z",
"severity": "MODERATE"
},
"details": "The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.",
"id": "GHSA-7rxj-pgv6-6f7v",
"modified": "2024-04-04T07:18:24Z",
"published": "2023-08-31T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2173"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/award-steps-ui.php#L384"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/deduct-steps-ui.php#L441"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/ranks/rank-steps-ui.php#L375"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/steps-ui.php#L371"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb9e37c-9e8b-429b-b4ef-cd875351852c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V3W-V3WV-VHX2
Vulnerability from github – Published: 2024-05-16 06:30 – Updated: 2024-05-16 06:30ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.
{
"affected": [],
"aliases": [
"CVE-2024-4843"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T06:15:12Z",
"severity": "MODERATE"
},
"details": "ePO doesn\u0027t allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.",
"id": "GHSA-7v3w-v3wv-vhx2",
"modified": "2024-05-16T06:30:51Z",
"published": "2024-05-16T06:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4843"
},
{
"type": "WEB",
"url": "https://thrive.trellix.com/s/article/000013505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V52-P3W5-3M2M
Vulnerability from github – Published: 2026-01-12 21:30 – Updated: 2026-01-12 21:30Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.
{
"affected": [],
"aliases": [
"CVE-2023-36331"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-12T20:15:52Z",
"severity": "HIGH"
},
"details": "Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users\u0027 order details via manipulation of the query parameter userId.",
"id": "GHSA-7v52-p3w5-3m2m",
"modified": "2026-01-12T21:30:34Z",
"published": "2026-01-12T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36331"
},
{
"type": "WEB",
"url": "https://github.com/Exrick/xmall/issues/100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V6R-JGCW-V2J9
Vulnerability from github – Published: 2024-09-16 14:37 – Updated: 2024-09-17 15:31An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.
{
"affected": [],
"aliases": [
"CVE-2024-46937"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T13:15:10Z",
"severity": "CRITICAL"
},
"details": "An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.",
"id": "GHSA-7v6r-jgcw-v2j9",
"modified": "2024-09-17T15:31:23Z",
"published": "2024-09-16T14:37:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46937"
},
{
"type": "WEB",
"url": "https://github.com/WI1D-41/IDOR-in-MFASOFT-Secure-Authentication-Server"
},
{
"type": "WEB",
"url": "https://mfasoft.ru"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7VFX-4246-JCFH
Vulnerability from github – Published: 2026-06-26 22:20 – Updated: 2026-06-26 22:20Summary
Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.
Findings
1. Cross-User API Token Revocation (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokens.php, lines 50-55
The revoke() LiveAction accepts any ApiToken via #[LiveArg] without checking ownership. The apiTokens() method correctly filters by user (getApiTokensForUser($this->security->getUser())).
#[LiveAction]
public function revoke(#[LiveArg] ApiToken $token): void
{
$this->apiTokenRepository->revoke($token); // No ownership check
}
2. Cross-User API Token History Disclosure (MEDIUM)
File: src/UserBundle/Twig/Components/ApiTokenHistory.php, lines 30-55
The writable $token LiveProp performs $this->apiTokenRepository->find($this->token) without user verification. Exposes IP addresses, request methods, paths, and user agents from other users' API token usage.
3. Cross-User Notification Transport Settings Disclosure (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationIntegrations.php, lines 48-55
The integration() method performs $this->repository->find($this->setting) using a writable LiveProp without user check. The enabledIntegrations() method correctly filters: $this->repository->findBy(['user' => $this->getUser()]).
The TransportSetting entity stores notification credentials in a JSON settings column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.
4. Cross-User Notification Transport Setting Takeover (HIGH)
File: src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php, lines 39-40, 84-101
The writable $setting LiveProp accepts any TransportSetting entity. The save() action overwrites the user field with the current user via $setting->setUser($user), effectively stealing the transport configuration and its stored credentials.
Root Cause
The application relies on Doctrine's CompanyFilter for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don't verify ownership.
Suggested Fix
Add user ownership verification in each LiveAction/LiveProp before performing operations:
if ($token->getUser() !== $this->security->getUser()) {
throw $this->createAccessDeniedException();
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.15"
},
"package": {
"ecosystem": "Packagist",
"name": "solidinvoice/solidinvoice"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T22:20:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nFour authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users\u0027 API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.\n\n## Findings\n\n### 1. Cross-User API Token Revocation (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokens.php`, lines 50-55\n\nThe `revoke()` LiveAction accepts any `ApiToken` via `#[LiveArg]` without checking ownership. The `apiTokens()` method correctly filters by user (`getApiTokensForUser($this-\u003esecurity-\u003egetUser())`).\n\n```php\n#[LiveAction]\npublic function revoke(#[LiveArg] ApiToken $token): void\n{\n $this-\u003eapiTokenRepository-\u003erevoke($token); // No ownership check\n}\n```\n\n### 2. Cross-User API Token History Disclosure (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokenHistory.php`, lines 30-55\n\nThe writable `$token` LiveProp performs `$this-\u003eapiTokenRepository-\u003efind($this-\u003etoken)` without user verification. Exposes IP addresses, request methods, paths, and user agents from other users\u0027 API token usage.\n\n### 3. Cross-User Notification Transport Settings Disclosure (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationIntegrations.php`, lines 48-55\n\nThe `integration()` method performs `$this-\u003erepository-\u003efind($this-\u003esetting)` using a writable LiveProp without user check. The `enabledIntegrations()` method correctly filters: `$this-\u003erepository-\u003efindBy([\u0027user\u0027 =\u003e $this-\u003egetUser()])`.\n\nThe `TransportSetting` entity stores notification credentials in a JSON `settings` column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.\n\n### 4. Cross-User Notification Transport Setting Takeover (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php`, lines 39-40, 84-101\n\nThe writable `$setting` LiveProp accepts any `TransportSetting` entity. The `save()` action overwrites the user field with the current user via `$setting-\u003esetUser($user)`, effectively stealing the transport configuration and its stored credentials.\n\n## Root Cause\n\nThe application relies on Doctrine\u0027s `CompanyFilter` for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don\u0027t verify ownership.\n\n## Suggested Fix\n\nAdd user ownership verification in each LiveAction/LiveProp before performing operations:\n```php\nif ($token-\u003egetUser() !== $this-\u003esecurity-\u003egetUser()) {\n throw $this-\u003ecreateAccessDeniedException();\n}\n```",
"id": "GHSA-7vfx-4246-jcfh",
"modified": "2026-06-26T22:20:50Z",
"published": "2026-06-26T22:20:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-7vfx-4246-jcfh"
},
{
"type": "PACKAGE",
"url": "https://github.com/SolidInvoice/SolidInvoice"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings"
}
GHSA-7W4V-H7G8-XR5R
Vulnerability from github – Published: 2026-06-27 09:30 – Updated: 2026-06-27 09:30The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.
{
"affected": [],
"aliases": [
"CVE-2026-11987"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-27T08:16:44Z",
"severity": "MODERATE"
},
"details": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the \u0027id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor\u0027s products \u2014 including unpublished draft and pending listings \u2014 exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability (\u0027dokan_view_product_menu\u0027 / \u0027dokandar\u0027), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.",
"id": "GHSA-7w4v-h7g8-xr5r",
"modified": "2026-06-27T09:30:37Z",
"published": "2026-06-27T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11987"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L299"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L39"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L66"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L159"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L473"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L495"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L299"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L39"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L66"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L159"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L473"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L495"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578095%40dokan-lite\u0026new=3578095%40dokan-lite\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1359945a-cf4e-4883-830b-53a3fcd40e56?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7W7V-V6F9-93RJ
Vulnerability from github – Published: 2025-11-28 09:30 – Updated: 2025-11-28 09:30WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-13768"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-28T08:15:52Z",
"severity": "HIGH"
},
"details": "WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.",
"id": "GHSA-7w7v-v6f9-93rj",
"modified": "2025-11-28T09:30:17Z",
"published": "2025-11-28T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13768"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7W9G-7W46-W7H4
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.
{
"affected": [],
"aliases": [
"CVE-2021-39889"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.",
"id": "GHSA-7w9g-7w46-w7h4",
"modified": "2022-05-24T19:16:33Z",
"published": "2022-05-24T19:16:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39889"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1294017"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/338062"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WMF-48GQ-64JC
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-04-04 02:46The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.
{
"affected": [],
"aliases": [
"CVE-2020-5194"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.",
"id": "GHSA-7wmf-48gq-64jc",
"modified": "2024-04-04T02:46:26Z",
"published": "2022-05-24T17:06:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5194"
},
{
"type": "WEB",
"url": "https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements"
},
{
"type": "WEB",
"url": "https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.