Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-MRPF-HRPH-4GM4

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "An IDOR vulnerability exists in the \u0027Evaluations\u0027 function of the \u0027umgws datasets\u0027 section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users\u0027 prompts by manipulating the \u0027id\u0027 parameter in the request. The issue is fixed in version 1.4.3.",
  "id": "GHSA-mrpf-hrph-4gm4",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7473"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRR6-VX89-9QJV

Vulnerability from github – Published: 2023-09-06 21:32 – Updated: 2024-04-04 07:32
VLAI
Details

SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-06T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.",
  "id": "GHSA-mrr6-vx89-9qjv",
  "modified": "2024-04-04T07:32:17Z",
  "published": "2023-09-06T21:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10130"
    },
    {
      "type": "WEB",
      "url": "https://developer.searchblox.com/v9.2/changelog/version-91"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRWR-HHWH-WJWQ

Vulnerability from github – Published: 2024-11-18 15:33 – Updated: 2024-11-18 15:33
VLAI
Details

An IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the "/cgi-bin/ocap/" endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T14:15:05Z",
    "severity": "HIGH"
  },
  "details": "An IDOR (Insecure Direct Object Reference) vulnerability has been discovered in AbsysNet, affecting version 2.3.1. This vulnerability could allow a remote attacker to obtain the session of an unauthenticated user by brute-force attacking the session identifier on the \"/cgi-bin/ocap/\" endpoint.",
  "id": "GHSA-mrwr-hhwh-wjwq",
  "modified": "2024-11-18T15:33:20Z",
  "published": "2024-11-18T15:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11318"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/idor-vulnerability-absysnet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV7X-27PC-8C96

Vulnerability from github – Published: 2023-05-30 15:30 – Updated: 2023-11-02 17:22
VLAI
Summary
Go package pydio/cells vulnerable to authorization bypass
Details

A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pydio/cells"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-31T18:26:17Z",
    "nvd_published_at": "2023-05-30T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Change Subscription Handler. The manipulation leads to authorization bypass. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. VDB-230210 is the identifier assigned to this vulnerability.",
  "id": "GHSA-mv7x-27pc-8c96",
  "modified": "2023-11-02T17:22:33Z",
  "published": "2023-05-30T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2978"
    },
    {
      "type": "WEB",
      "url": "https://popalltheshells.medium.com/multiple-cves-affecting-pydio-cells-4-2-0-321e7e4712be"
    },
    {
      "type": "WEB",
      "url": "https://pydio.com/en/community/releases/pydio-cells/pydio-cells-enterprise-421"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.230210"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.230210"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/pydio/cells"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Go package pydio/cells vulnerable to authorization bypass"
}

GHSA-MVF5-QJMW-6P5M

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-11T01:32:00Z",
    "severity": "MODERATE"
  },
  "details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.",
  "id": "GHSA-mvf5-qjmw-6p5m",
  "modified": "2022-05-13T01:43:40Z",
  "published": "2022-05-13T01:43:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
    },
    {
      "type": "WEB",
      "url": "https://kanboard.net/news/version-1.0.47"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/04/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVG7-8XH2-47RF

Vulnerability from github – Published: 2023-11-24 21:30 – Updated: 2025-11-03 21:30
VLAI
Details

OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-24T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.",
  "id": "GHSA-mvg7-8xh2-47rf",
  "modified": "2025-11-03T21:30:56Z",
  "published": "2023-11-24T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openzfs/zfs/issues/15526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openzfs/zfs/pull/15571"
    },
    {
      "type": "WEB",
      "url": "https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/917224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=38405731"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=38770168"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files"
    },
    {
      "type": "WEB",
      "url": "https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVP9-JCP7-42X3

Vulnerability from github – Published: 2025-05-02 06:31 – Updated: 2025-05-02 06:31
VLAI
Details

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T04:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the \u0027homey_delete_user_account\u0027 action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user\u0027s accounts.",
  "id": "GHSA-mvp9-jcp7-42x3",
  "modified": "2025-05-02T06:31:24Z",
  "published": "2025-05-02T06:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1327"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/homey-booking-wordpress-theme/23338013"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38aa649c-e9d3-458b-b567-e2e751aaca00?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVXW-39VG-5JR5

Vulnerability from github – Published: 2026-03-19 09:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-19T09:16:15Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.",
  "id": "GHSA-mvxw-39vg-5jr5",
  "modified": "2026-04-01T18:36:32Z",
  "published": "2026-03-19T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32223"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW97-J6P7-XP5G

Vulnerability from github – Published: 2025-04-03 15:31 – Updated: 2025-04-21 21:30
VLAI
Details

An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T14:15:29Z",
    "severity": "HIGH"
  },
  "details": "An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.",
  "id": "GHSA-mw97-j6p7-xp5g",
  "modified": "2025-04-21T21:30:26Z",
  "published": "2025-04-03T15:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OS4ED/openSIS-Classic"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esusalla/vulnerability-research/tree/main/CVE-2025-22931"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX7W-QX25-CC3C

Vulnerability from github – Published: 2024-04-07 18:30 – Updated: 2025-02-04 21:32
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-07T18:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.6.",
  "id": "GHSA-mx7w-qx25-cc3c",
  "modified": "2025-02-04T21:32:26Z",
  "published": "2024-04-07T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31291"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-6-idor-on-friend-request-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.