CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3255 vulnerabilities reference this CWE, most recent first.
GHSA-M8HX-3Q8C-M23R
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.
{
"affected": [],
"aliases": [
"CVE-2020-26068"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this vulnerability by using the xAPI service to generate a specific token. A successful exploit could allow the attacker to use the generated token to enable experimental features on the device that should not be available to users.",
"id": "GHSA-m8hx-3q8c-m23r",
"modified": "2022-05-24T17:34:27Z",
"published": "2022-05-24T17:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26068"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M8PW-9FX4-MVPR
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-21 15:30Insecure direct object reference (IDOR) vulnerability in Sergestec's Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the 'id' parameter in '/admin/ticket_a4.php'.
{
"affected": [],
"aliases": [
"CVE-2025-41020"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T08:15:35Z",
"severity": "HIGH"
},
"details": "Insecure direct object reference (IDOR) vulnerability in Sergestec\u0027s Exito v8.0. This vulnerability allows an attacker to access data belonging to other customers through the \u0027id\u0027 parameter in \u0027/admin/ticket_a4.php\u0027.",
"id": "GHSA-m8pw-9fx4-mvpr",
"modified": "2025-10-21T15:30:56Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41020"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M98R-6667-4WQ7
Vulnerability from github – Published: 2026-05-07 01:49 – Updated: 2026-05-14 20:53Impact
Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user's thread_id (User B), can:
- Execute graph runs against User B's thread via
POST /threads/{thread_id}/runs,POST /threads/{thread_id}/runs/stream, orPOST /threads/{thread_id}/runs/wait - Read User B's full checkpoint state via the resulting run's
outputfield - Inject arbitrary messages into User B's conversation history (persisted in B's checkpoint)
- Hide their activity from User B's
GET /threads/{thread_id}/runslisting because the run carries A'suser_id
The streaming variant is worse — the first SSE event: values frame returns the entire prior messages array immediately on connection, no graph execution needed.
Thread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.
Patches
Fixed in 0.9.7. The three affected endpoints now perform an SQL-level user_id == authenticated_user.identity check before calling _prepare_run. When the thread exists but is owned by another user, the response is 404 Thread not found (matching the read-side pattern) to avoid leaking thread existence.
Workarounds
If upgrade is not immediately possible, register an @auth.on("threads", "create_run") handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.
Example mitigation handler:
from langgraph_sdk import Auth
auth = Auth()
@auth.on("threads", "create_run")
async def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):
# Look up the thread, raise 404 if not owned by ctx.user.identity.
# Implementation depends on your data layer.
...
Root cause
Aegra's authorization model delegates per-resource policy to user-defined @auth.on handlers. When no handler is registered, handle_event(...) returns None and the request proceeds (default-allow). Read endpoints in api/threads.py add a defense-in-depth user_id filter at the SQL layer, but the run-creation endpoints in api/runs.py skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.
Affected endpoints
POST /threads/{thread_id}/runsPOST /threads/{thread_id}/runs/streamPOST /threads/{thread_id}/runs/wait
Stateless variants (POST /runs, POST /runs/wait, POST /runs/stream) are NOT affected — they generate a fresh thread_id server-side and never accept a caller-supplied one.
Credits
- @JoJoTheBizarre — discovered and reported the vulnerability with a precise reproducer (#336)
- @victorjmarin and @jawhardjebbi — wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)
Resources
- Issue: https://github.com/aegra/aegra/issues/336
- Fix PR: https://github.com/aegra/aegra/pull/337
- Release: https://github.com/aegra/aegra/releases/tag/v0.9.7
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aegra-api"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44504"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T01:49:51Z",
"nvd_published_at": "2026-05-14T16:16:24Z",
"severity": "HIGH"
},
"details": "## Impact\n\nAegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user\u0027s `thread_id` (User B), can:\n\n- Execute graph runs against User B\u0027s thread via `POST /threads/{thread_id}/runs`, `POST /threads/{thread_id}/runs/stream`, or `POST /threads/{thread_id}/runs/wait`\n- Read User B\u0027s full checkpoint state via the resulting run\u0027s `output` field\n- Inject arbitrary messages into User B\u0027s conversation history (persisted in B\u0027s checkpoint)\n- Hide their activity from User B\u0027s `GET /threads/{thread_id}/runs` listing because the run carries A\u0027s `user_id`\n\nThe streaming variant is worse \u2014 the first SSE `event: values` frame returns the entire prior `messages` array immediately on connection, no graph execution needed.\n\nThread IDs are UUIDs but leak through frontend URLs, server logs, observability traces, and shared links. Guessing is not required.\n\n## Patches\n\nFixed in **0.9.7**. The three affected endpoints now perform an SQL-level `user_id == authenticated_user.identity` check before calling `_prepare_run`. When the thread exists but is owned by another user, the response is `404 Thread not found` (matching the read-side pattern) to avoid leaking thread existence.\n\n## Workarounds\n\nIf upgrade is not immediately possible, register an `@auth.on(\"threads\", \"create_run\")` handler that explicitly verifies thread ownership against the authenticated identity before allowing the operation. Without a handler, no built-in authorization runs on these write paths.\n\nExample mitigation handler:\n\n```python\nfrom langgraph_sdk import Auth\n\nauth = Auth()\n\n@auth.on(\"threads\", \"create_run\")\nasync def enforce_thread_owner(ctx: Auth.types.AuthContext, value: dict):\n # Look up the thread, raise 404 if not owned by ctx.user.identity.\n # Implementation depends on your data layer.\n ...\n```\n\n## Root cause\n\nAegra\u0027s authorization model delegates per-resource policy to user-defined `@auth.on` handlers. When no handler is registered, `handle_event(...)` returns `None` and the request proceeds (default-allow). Read endpoints in `api/threads.py` add a defense-in-depth `user_id` filter at the SQL layer, but the run-creation endpoints in `api/runs.py` skipped that filter. Result: out-of-the-box deployments without custom auth handlers were vulnerable.\n\n## Affected endpoints\n\n- `POST /threads/{thread_id}/runs`\n- `POST /threads/{thread_id}/runs/stream`\n- `POST /threads/{thread_id}/runs/wait`\n\nStateless variants (`POST /runs`, `POST /runs/wait`, `POST /runs/stream`) are NOT affected \u2014 they generate a fresh `thread_id` server-side and never accept a caller-supplied one.\n\n## Credits\n\n- @JoJoTheBizarre \u2014 discovered and reported the vulnerability with a precise reproducer (#336)\n- @victorjmarin and @jawhardjebbi \u2014 wrote the fix and added test coverage at unit, integration, and manual-auth e2e levels (#337)\n\n## Resources\n\n- Issue: https://github.com/aegra/aegra/issues/336\n- Fix PR: https://github.com/aegra/aegra/pull/337\n- Release: https://github.com/aegra/aegra/releases/tag/v0.9.7",
"id": "GHSA-m98r-6667-4wq7",
"modified": "2026-05-14T20:53:21Z",
"published": "2026-05-07T01:49:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aegra/aegra/security/advisories/GHSA-m98r-6667-4wq7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44504"
},
{
"type": "WEB",
"url": "https://github.com/aegra/aegra/issues/336"
},
{
"type": "WEB",
"url": "https://github.com/aegra/aegra/pull/337"
},
{
"type": "WEB",
"url": "https://github.com/aegra/aegra/commit/e1b2042254fd49072ca281bc35b3f2a3bed74b31"
},
{
"type": "PACKAGE",
"url": "https://github.com/aegra/aegra"
},
{
"type": "WEB",
"url": "https://github.com/aegra/aegra/releases/tag/v0.9.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)"
}
GHSA-M9CH-6HH2-GC9W
Vulnerability from github – Published: 2023-03-27 18:30 – Updated: 2023-03-31 15:30The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.
{
"affected": [],
"aliases": [
"CVE-2023-0816"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.",
"id": "GHSA-m9ch-6hh2-gc9w",
"modified": "2023-03-31T15:30:18Z",
"published": "2023-03-27T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0816"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a281f63f-e295-4666-8a08-01b23cd5a744"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MC66-GQXJ-PWMG
Vulnerability from github – Published: 2023-10-16 21:30 – Updated: 2024-04-04 08:41The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector
{
"affected": [],
"aliases": [
"CVE-2023-3706"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-16T20:15:14Z",
"severity": "MODERATE"
},
"details": "The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector",
"id": "GHSA-mc66-gqxj-pwmg",
"modified": "2024-04-04T08:41:21Z",
"published": "2023-10-16T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3706"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/daa4d93a-f8b1-4809-a18e-8ab63a05de5a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF7V-X7R6-FQ57
Vulnerability from github – Published: 2026-06-22 12:32 – Updated: 2026-06-22 12:32Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.
In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.
The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.
{
"affected": [],
"aliases": [
"CVE-2026-56422"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T12:16:26Z",
"severity": "CRITICAL"
},
"details": "Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.\n\nIn affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user\u2019s context.\n\nThe fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit()\u00a0primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub\u2019s patch for 7acf8220c\u00a0describes this central issue as CRUDComponent::edit()\u00a0copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save()\u00a0to update an arbitrary row unless the loaded ID is re-pinned.",
"id": "GHSA-mf7v-x7r6-fq57",
"modified": "2026-06-22T12:32:02Z",
"published": "2026-06-22T12:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56422"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MF87-R67V-2M82
Vulnerability from github – Published: 2025-11-25 21:32 – Updated: 2025-11-25 21:32Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.
{
"affected": [],
"aliases": [
"CVE-2025-64067"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-25T19:15:50Z",
"severity": "MODERATE"
},
"details": "Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.",
"id": "GHSA-mf87-r67v-2m82",
"modified": "2025-11-25T21:32:06Z",
"published": "2025-11-25T21:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64067"
},
{
"type": "WEB",
"url": "https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md"
},
{
"type": "WEB",
"url": "https://www.primakon.com/rjesenja/primakon-pcm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF94-378Q-XVC3
Vulnerability from github – Published: 2024-02-06 03:32 – Updated: 2024-02-13 18:38An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.
{
"affected": [],
"aliases": [
"CVE-2023-47022"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T01:15:07Z",
"severity": "MODERATE"
},
"details": "An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the payload parameter.",
"id": "GHSA-mf94-378q-xvc3",
"modified": "2024-02-13T18:38:22Z",
"published": "2024-02-06T03:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47022"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/15s7NftTX2dxfcFnMqkFIyeN48xq3LceesWOhP-9xL4Y/edit?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF9G-Q8Q5-VFM5
Vulnerability from github – Published: 2023-01-17 21:30 – Updated: 2023-01-25 18:30The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.
{
"affected": [],
"aliases": [
"CVE-2022-40319"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T21:15:00Z",
"severity": "HIGH"
},
"details": "The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim\u0027s LISTSERV account.",
"id": "GHSA-mf9g-q8q5-vfm5",
"modified": "2023-01-25T18:30:50Z",
"published": "2023-01-17T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40319"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/2301-exploits/listserv17-idor.txt"
},
{
"type": "WEB",
"url": "https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFCP-5RPW-XXC5
Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
{
"affected": [],
"aliases": [
"CVE-2026-56013"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T14:16:50Z",
"severity": "MODERATE"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce \u003c= 3.0.15 versions.",
"id": "GHSA-mfcp-5rpw-xxc5",
"modified": "2026-06-25T15:32:01Z",
"published": "2026-06-25T15:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56013"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/license-manager-for-woocommerce/vulnerability/wordpress-license-manager-for-woocommerce-plugin-3-0-15-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.