Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3238 vulnerabilities reference this CWE, most recent first.

GHSA-7RRH-2Q62-PPVC

Vulnerability from github – Published: 2024-06-04 06:30 – Updated: 2026-04-08 18:33
VLAI
Details

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T06:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.",
  "id": "GHSA-7rrh-2q62-ppvc",
  "modified": "2026-04-08T18:33:18Z",
  "published": "2024-06-04T06:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4274"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/essential-real-estate/trunk/public/partials/property/class-ere-property.php#L28"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3106467%40essential-real-estate\u0026new=3106467%40essential-real-estate\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3110238%40essential-real-estate\u0026new=3110238%40essential-real-estate\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc41eb7-5c9a-4a67-902d-9a855840668b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RXJ-PGV6-6F7V

Vulnerability from github – Published: 2023-08-31 06:30 – Updated: 2024-04-04 07:18
VLAI
Details

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T06:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.",
  "id": "GHSA-7rxj-pgv6-6f7v",
  "modified": "2024-04-04T07:18:24Z",
  "published": "2023-08-31T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2173"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/award-steps-ui.php#L384"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/points/deduct-steps-ui.php#L441"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/ranks/rank-steps-ui.php#L375"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/badgeos/trunk/includes/steps-ui.php#L371"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebb9e37c-9e8b-429b-b4ef-cd875351852c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V3W-V3WV-VHX2

Vulnerability from github – Published: 2024-05-16 06:30 – Updated: 2024-05-16 06:30
VLAI
Details

ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T06:15:12Z",
    "severity": "MODERATE"
  },
  "details": "ePO doesn\u0027t allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege.",
  "id": "GHSA-7v3w-v3wv-vhx2",
  "modified": "2024-05-16T06:30:51Z",
  "published": "2024-05-16T06:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4843"
    },
    {
      "type": "WEB",
      "url": "https://thrive.trellix.com/s/article/000013505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V52-P3W5-3M2M

Vulnerability from github – Published: 2026-01-12 21:30 – Updated: 2026-01-12 21:30
VLAI
Details

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-12T20:15:52Z",
    "severity": "HIGH"
  },
  "details": "Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users\u0027 order details via manipulation of the query parameter userId.",
  "id": "GHSA-7v52-p3w5-3m2m",
  "modified": "2026-01-12T21:30:34Z",
  "published": "2026-01-12T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36331"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Exrick/xmall/issues/100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V6R-JGCW-V2J9

Vulnerability from github – Published: 2024-09-16 14:37 – Updated: 2024-09-17 15:31
VLAI
Details

An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-16T13:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.",
  "id": "GHSA-7v6r-jgcw-v2j9",
  "modified": "2024-09-17T15:31:23Z",
  "published": "2024-09-16T14:37:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WI1D-41/IDOR-in-MFASOFT-Secure-Authentication-Server"
    },
    {
      "type": "WEB",
      "url": "https://mfasoft.ru"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VFX-4246-JCFH

Vulnerability from github – Published: 2026-06-26 22:20 – Updated: 2026-06-26 22:20
VLAI
Summary
SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings
Details

Summary

Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.

Findings

1. Cross-User API Token Revocation (MEDIUM)

File: src/UserBundle/Twig/Components/ApiTokens.php, lines 50-55

The revoke() LiveAction accepts any ApiToken via #[LiveArg] without checking ownership. The apiTokens() method correctly filters by user (getApiTokensForUser($this->security->getUser())).

#[LiveAction]
public function revoke(#[LiveArg] ApiToken $token): void
{
    $this->apiTokenRepository->revoke($token); // No ownership check
}

2. Cross-User API Token History Disclosure (MEDIUM)

File: src/UserBundle/Twig/Components/ApiTokenHistory.php, lines 30-55

The writable $token LiveProp performs $this->apiTokenRepository->find($this->token) without user verification. Exposes IP addresses, request methods, paths, and user agents from other users' API token usage.

3. Cross-User Notification Transport Settings Disclosure (HIGH)

File: src/NotificationBundle/Twig/Components/NotificationIntegrations.php, lines 48-55

The integration() method performs $this->repository->find($this->setting) using a writable LiveProp without user check. The enabledIntegrations() method correctly filters: $this->repository->findBy(['user' => $this->getUser()]).

The TransportSetting entity stores notification credentials in a JSON settings column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.

4. Cross-User Notification Transport Setting Takeover (HIGH)

File: src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php, lines 39-40, 84-101

The writable $setting LiveProp accepts any TransportSetting entity. The save() action overwrites the user field with the current user via $setting->setUser($user), effectively stealing the transport configuration and its stored credentials.

Root Cause

The application relies on Doctrine's CompanyFilter for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don't verify ownership.

Suggested Fix

Add user ownership verification in each LiveAction/LiveProp before performing operations:

if ($token->getUser() !== $this->security->getUser()) {
    throw $this->createAccessDeniedException();
}
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "solidinvoice/solidinvoice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T22:20:50Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nFour authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users\u0027 API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifying ownership, while the listing methods correctly filter by user.\n\n## Findings\n\n### 1. Cross-User API Token Revocation (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokens.php`, lines 50-55\n\nThe `revoke()` LiveAction accepts any `ApiToken` via `#[LiveArg]` without checking ownership. The `apiTokens()` method correctly filters by user (`getApiTokensForUser($this-\u003esecurity-\u003egetUser())`).\n\n```php\n#[LiveAction]\npublic function revoke(#[LiveArg] ApiToken $token): void\n{\n    $this-\u003eapiTokenRepository-\u003erevoke($token); // No ownership check\n}\n```\n\n### 2. Cross-User API Token History Disclosure (MEDIUM)\n\n**File:** `src/UserBundle/Twig/Components/ApiTokenHistory.php`, lines 30-55\n\nThe writable `$token` LiveProp performs `$this-\u003eapiTokenRepository-\u003efind($this-\u003etoken)` without user verification. Exposes IP addresses, request methods, paths, and user agents from other users\u0027 API token usage.\n\n### 3. Cross-User Notification Transport Settings Disclosure (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationIntegrations.php`, lines 48-55\n\nThe `integration()` method performs `$this-\u003erepository-\u003efind($this-\u003esetting)` using a writable LiveProp without user check. The `enabledIntegrations()` method correctly filters: `$this-\u003erepository-\u003efindBy([\u0027user\u0027 =\u003e $this-\u003egetUser()])`.\n\nThe `TransportSetting` entity stores notification credentials in a JSON `settings` column, potentially exposing API keys for Slack, Discord, Telegram, or SMS services.\n\n### 4. Cross-User Notification Transport Setting Takeover (HIGH)\n\n**File:** `src/NotificationBundle/Twig/Components/NotificationTransportConfiguration.php`, lines 39-40, 84-101\n\nThe writable `$setting` LiveProp accepts any `TransportSetting` entity. The `save()` action overwrites the user field with the current user via `$setting-\u003esetUser($user)`, effectively stealing the transport configuration and its stored credentials.\n\n## Root Cause\n\nThe application relies on Doctrine\u0027s `CompanyFilter` for tenant isolation but has no user-level access controls within a company. LiveComponent actions that resolve entities from client-provided IDs don\u0027t verify ownership.\n\n## Suggested Fix\n\nAdd user ownership verification in each LiveAction/LiveProp before performing operations:\n```php\nif ($token-\u003egetUser() !== $this-\u003esecurity-\u003egetUser()) {\n    throw $this-\u003ecreateAccessDeniedException();\n}\n```",
  "id": "GHSA-7vfx-4246-jcfh",
  "modified": "2026-06-26T22:20:50Z",
  "published": "2026-06-26T22:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-7vfx-4246-jcfh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SolidInvoice/SolidInvoice"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings"
}

GHSA-7W4V-H7G8-XR5R

Vulnerability from github – Published: 2026-06-27 09:30 – Updated: 2026-06-27 09:30
VLAI
Details

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor's products — including unpublished draft and pending listings — exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability ('dokan_view_product_menu' / 'dokandar'), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-27T08:16:44Z",
    "severity": "MODERATE"
  },
  "details": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the \u0027id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to read any other vendor\u0027s products \u2014 including unpublished draft and pending listings \u2014 exposing product names, prices, SKUs, and descriptions belonging to other vendors. The permission callbacks for both the collection endpoint and the single-item endpoint only verify the generic vendor capability (\u0027dokan_view_product_menu\u0027 / \u0027dokandar\u0027), which every vendor holds, rather than confirming the requested author ID or product ownership matches the authenticated user.",
  "id": "GHSA-7w4v-h7g8-xr5r",
  "modified": "2026-06-27T09:30:37Z",
  "published": "2026-06-27T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11987"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L299"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L39"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Abstracts/DokanRESTController.php#L66"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L159"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L473"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/REST/ProductController.php#L495"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L299"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L39"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/Abstracts/DokanRESTController.php#L66"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L159"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L473"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.4/includes/REST/ProductController.php#L495"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578095%40dokan-lite\u0026new=3578095%40dokan-lite\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1359945a-cf4e-4883-830b-53a3fcd40e56?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W7V-V6F9-93RJ

Vulnerability from github – Published: 2025-11-28 09:30 – Updated: 2025-11-28 09:30
VLAI
Details

WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-28T08:15:52Z",
    "severity": "HIGH"
  },
  "details": "WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability.",
  "id": "GHSA-7w7v-v6f9-93rj",
  "modified": "2025-11-28T09:30:17Z",
  "published": "2025-11-28T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13768"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7W9G-7W46-W7H4

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-05T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.",
  "id": "GHSA-7w9g-7w46-w7h4",
  "modified": "2022-05-24T19:16:33Z",
  "published": "2022-05-24T19:16:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39889"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1294017"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/338062"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WMF-48GQ-64JC

Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-04-04 02:46
VLAI
Details

The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-14T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists.",
  "id": "GHSA-7wmf-48gq-64jc",
  "modified": "2024-04-04T02:46:26Z",
  "published": "2022-05-24T17:06:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5194"
    },
    {
      "type": "WEB",
      "url": "https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements"
    },
    {
      "type": "WEB",
      "url": "https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.