Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-M8HX-3Q8C-M23R

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.",
  "id": "GHSA-m8hx-3q8c-m23r",
  "modified": "2022-05-24T17:34:27Z",
  "published": "2022-05-24T17:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26068"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M8PW-9FX4-MVPR

Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-21 15:30
VLAI
Details

Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T08:15:35Z",
    "severity": "HIGH"
  },
  "details": "Insecure direct object reference (IDOR) vulnerability in Sergestec\u0027s Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the \u0027id\u0027 parameter in \u0027/admin/ticket_a4.php\u0027.",
  "id": "GHSA-m8pw-9fx4-mvpr",
  "modified": "2025-10-21T15:30:56Z",
  "published": "2025-10-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41020"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M98R-6667-4WQ7

Vulnerability from github – Published: 2026-05-07 01:49 – Updated: 2026-05-14 20:53
VLAI
Summary
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
Details

Impact

Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user's thread_id (User B), can:

  • Execute graph runs against User B's thread via POST /threads/{thread_id}/runs, POST /threads/{thread_id}/runs/stream, or POST /threads/{thread_id}/runs/wait
  • Read User B's full checkpoint state via the resulting run's output field
  • Inject arbitrary messages into User B's conversation history (persisted in B's checkpoint)
  • Hide their activity from User B's GET /threads/{thread_id}/runs listing because the run carries A's user_id

The streaming variant is worse — the first SSE event: values frame returns the entire prior messages array immediately on connection, no graph execution needed.

Thread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.

Patches

Fixed in 0.9.7. The three affected endpoints now perform an SQL-level user_id == authenticated_user.identity check before calling _prepare_run. When the thread exists but is owned by another user, the response is 404 Thread not found (matching the read-side pattern) to avoid leaking thread existence.

Workarounds

If upgrade is not immediately possible, register an @auth.on("threads", "create_run") handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.

Example mitigation handler:

from langgraph_sdk import Auth

auth = Auth()

@auth.on("threads", "create_run")
async def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):
    # Look up the thread, raise 404 if not owned by ctx.user.identity.
    # Implementation depends on your data layer.
    ...

Root cause

Aegra's authorization model delegates per-resource policy to user-defined @auth.on handlers. When no handler is registered, handle_event(...) returns None and the request proceeds (default-allow). Read endpoints in api/threads.py add a defense-in-depth user_id filter at the SQL layer, but the run-creation endpoints in api/runs.py skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.

Affected endpoints

  • POST /threads/{thread_id}/runs
  • POST /threads/{thread_id}/runs/stream
  • POST /threads/{thread_id}/runs/wait

Stateless variants (POST /runs, POST /runs/wait, POST /runs/stream) are NOT affected — they generate a fresh thread_id server-side and never accept a caller-supplied one.

Credits

  • @JoJoTheBizarre — discovered and reported the vulnerability with a precise reproducer (#336)
  • @victorjmarin and @jawhardjebbi — wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)

Resources

  • Issue: https://github.com/aegra/aegra/issues/336
  • Fix PR: https://github.com/aegra/aegra/pull/337
  • Release: https://github.com/aegra/aegra/releases/tag/v0.9.7
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aegra-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T01:49:51Z",
    "nvd_published_at": "2026-05-14T16:16:24Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nAegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user\u0027s `thread_id` (User B), can:\n\n- Execute graph runs against User B\u0027s thread via `POST /threads/{thread_id}/runs`, `POST /threads/{thread_id}/runs/stream`, or `POST /threads/{thread_id}/runs/wait`\n- Read User B\u0027s full checkpoint state via the resulting run\u0027s `output` field\n- Inject arbitrary messages into User B\u0027s conversation history (persisted in B\u0027s checkpoint)\n- Hide their activity from User B\u0027s `GET /threads/{thread_id}/runs` listing because the run carries A\u0027s `user_id`\n\nThe streaming variant is worse \u2014 the first SSE `event: values` frame returns the entire prior `messages` array immediately on connection, no graph execution needed.\n\nThread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.\n\n## Patches\n\nFixed in **0.9.7**. The three affected endpoints now perform an SQL-level `user_id == authenticated_user.identity` check before calling `_prepare_run`. When the thread exists but is owned by another user, the response is `404 Thread not found` (matching the read-side pattern) to avoid leaking thread existence.\n\n## Workarounds\n\nIf upgrade is not immediately possible, register an `@auth.on(\"threads\", \"create_run\")` handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.\n\nExample mitigation handler:\n\n```python\nfrom langgraph_sdk import Auth\n\nauth = Auth()\n\n@auth.on(\"threads\", \"create_run\")\nasync def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):\n    # Look up the thread, raise 404 if not owned by ctx.user.identity.\n    # Implementation depends on your data layer.\n    ...\n```\n\n## Root cause\n\nAegra\u0027s authorization model delegates per-resource policy to user-defined `@auth.on` handlers. When no handler is registered, `handle_event(...)` returns `None` and the request proceeds (default-allow). Read endpoints in `api/threads.py` add a defense-in-depth `user_id` filter at the SQL layer, but the run-creation endpoints in `api/runs.py` skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.\n\n## Affected endpoints\n\n- `POST /threads/{thread_id}/runs`\n- `POST /threads/{thread_id}/runs/stream`\n- `POST /threads/{thread_id}/runs/wait`\n\nStateless variants (`POST /runs`, `POST /runs/wait`, `POST /runs/stream`) are NOT affected \u2014 they generate a fresh `thread_id` server-side and never accept a caller-supplied one.\n\n## Credits\n\n- @JoJoTheBizarre \u2014 discovered and reported the vulnerability with a precise reproducer (#336)\n- @victorjmarin and @jawhardjebbi \u2014 wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)\n\n## Resources\n\n- Issue: https://github.com/aegra/aegra/issues/336\n- Fix PR: https://github.com/aegra/aegra/pull/337\n- Release: https://github.com/aegra/aegra/releases/tag/v0.9.7",
  "id": "GHSA-m98r-6667-4wq7",
  "modified": "2026-05-14T20:53:21Z",
  "published": "2026-05-07T01:49:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aegra/aegra/issues/336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aegra/aegra/pull/337"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aegra/aegra"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aegra/aegra/releases/tag/v0.9.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)"
}

GHSA-M9CH-6HH2-GC9W

Vulnerability from github – Published: 2023-03-27 18:30 – Updated: 2023-03-31 15:30
VLAI
Details

The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-27T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.",
  "id": "GHSA-m9ch-6hh2-gc9w",
  "modified": "2023-03-31T15:30:18Z",
  "published": "2023-03-27T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0816"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MC66-GQXJ-PWMG

Vulnerability from github – Published: 2023-10-16 21:30 – Updated: 2024-04-04 08:41
VLAI
Details

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-16T20:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector",
  "id": "GHSA-mc66-gqxj-pwmg",
  "modified": "2024-04-04T08:41:21Z",
  "published": "2023-10-16T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3706"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/daa4d93a-f8b1-4809-a18e-8ab63a05de5a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF7V-X7R6-FQ57

Vulnerability from github – Published: 2026-06-22 12:32 – Updated: 2026-06-22 12:32
VLAI
Details

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.

In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.

The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T12:16:26Z",
    "severity": "CRITICAL"
  },
  "details": "Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.\n\nIn affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user\u2019s context.\n\nThe fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit()\u00a0primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub\u2019s patch for 7acf8220c\u00a0describes this central issue as CRUDComponent::edit()\u00a0copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save()\u00a0to update an arbitrary row unless the loaded ID is re-pinned.",
  "id": "GHSA-mf7v-x7r6-fq57",
  "modified": "2026-06-22T12:32:02Z",
  "published": "2026-06-22T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56422"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MF87-R67V-2M82

Vulnerability from github – Published: 2025-11-25 21:32 – Updated: 2025-11-25 21:32
VLAI
Details

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T19:15:50Z",
    "severity": "MODERATE"
  },
  "details": "Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.",
  "id": "GHSA-mf87-r67v-2m82",
  "modified": "2025-11-25T21:32:06Z",
  "published": "2025-11-25T21:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md"
    },
    {
      "type": "WEB",
      "url": "https://www.primakon.com/rjesenja/primakon-pcm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF94-378Q-XVC3

Vulnerability from github – Published: 2024-02-06 03:32 – Updated: 2024-02-13 18:38
VLAI
Details

An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T01:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.",
  "id": "GHSA-mf94-378q-xvc3",
  "modified": "2024-02-13T18:38:22Z",
  "published": "2024-02-06T03:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47022"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/15s7NftTX2dxfcFnMqkFIyeN48xq3LceesWOhP-9xL4Y/edit?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF9G-Q8Q5-VFM5

Vulnerability from github – Published: 2023-01-17 21:30 – Updated: 2023-01-25 18:30
VLAI
Details

The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim\u0027s LISTSERV account.",
  "id": "GHSA-mf9g-q8q5-vfm5",
  "modified": "2023-01-25T18:30:50Z",
  "published": "2023-01-17T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40319"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/2301-exploits/listserv17-idor.txt"
    },
    {
      "type": "WEB",
      "url": "https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFCP-5RPW-XXC5

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T14:16:50Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce \u003c= 3.0.15 versions.",
  "id": "GHSA-mfcp-5rpw-xxc5",
  "modified": "2026-06-25T15:32:01Z",
  "published": "2026-06-25T15:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56013"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/license-manager-for-woocommerce/vulnerability/wordpress-license-manager-for-woocommerce-plugin-3-0-15-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.