Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-MX8C-7RH4-QFJ2

Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31
VLAI
Details

CWE-639 Authorization Bypass Through User-Controlled Key

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T11:15:28Z",
    "severity": "HIGH"
  },
  "details": "CWE-639 Authorization Bypass Through User-Controlled Key",
  "id": "GHSA-mx8c-7rh4-qfj2",
  "modified": "2025-08-06T12:31:20Z",
  "published": "2025-08-06T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46387"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXGW-57R7-Q28C

Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T11:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.",
  "id": "GHSA-mxgw-57r7-q28c",
  "modified": "2024-07-22T12:30:37Z",
  "published": "2024-07-22T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38701"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/academy/wordpress-academy-lms-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXQ2-5JPG-7474

Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30
VLAI
Details

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T14:17:51Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.7.x \u003c= 11.7.0, 11.6.x \u003c= 11.6.2, 11.5.x \u003c= 11.5.5, 10.11.x \u003c= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT request to the subscription edit endpoint.. Mattermost Advisory ID: MMSA-2026-00650",
  "id": "GHSA-mxq2-5jpg-7474",
  "modified": "2026-06-22T15:30:45Z",
  "published": "2026-06-22T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6062"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXQ5-F9C5-W4P5

Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-09 20:51
VLAI
Summary
Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key
Details

A bug in Apache Airflow's bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) evaluated authorization against the dag_id resolved from the URL path while operating on the dag_id / dag_run_id extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to apache-airflow 3.2.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T20:51:57Z",
    "nvd_published_at": "2026-06-01T09:16:18Z",
    "severity": "HIGH"
  },
  "details": "A bug in Apache Airflow\u0027s bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag\u0027s ID in the URL path and naming the target Dag\u0027s IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.",
  "id": "GHSA-mxq5-f9c5-w4p5",
  "modified": "2026-07-09T20:51:57Z",
  "published": "2026-06-01T09:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/64288"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-183.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/31/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow Vulnerable to Authorization Bypass Through User-Controlled Key"
}

GHSA-MXR4-JXX7-RXVW

Vulnerability from github – Published: 2024-11-09 03:30 – Updated: 2026-04-08 18:33
VLAI
Details

The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the 'user-meta-public-profile' shortcode is used insecurely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T03:15:05Z",
    "severity": "MODERATE"
  },
  "details": "The User Meta \u2013 User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to obtain user meta values from form fields. Please note that this requires a site administrator to create a form that displays potentially sensitive information like password hashes. This may also be exploited by unauthenticated users if the  \u0027user-meta-public-profile\u0027 shortcode is used insecurely.",
  "id": "GHSA-mxr4-jxx7-rxvw",
  "modified": "2026-04-08T18:33:39Z",
  "published": "2024-11-09T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9262"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/user-meta/trunk/models/classes/generate/PublicProfile.php#L28"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3221099%40user-meta\u0026new=3221099%40user-meta\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed81348-7604-4858-bc8e-b4504d77ee45?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXR8-QJ6J-F7GQ

Vulnerability from github – Published: 2024-04-26 03:30 – Updated: 2024-07-03 18:36
VLAI
Details

An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T01:15:46Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.",
  "id": "GHSA-mxr8-qj6j-f7gq",
  "modified": "2024-07-03T18:36:53Z",
  "published": "2024-04-26T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33668"
    },
    {
      "type": "WEB",
      "url": "https://zammad.com/en/advisories/zaa-2024-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXRH-VWCX-VG7H

Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35
VLAI
Details

Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T11:16:28Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.7.x \u003c= 11.7.1, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user\u2019s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653",
  "id": "GHSA-mxrh-vwcx-vg7h",
  "modified": "2026-07-13T12:35:06Z",
  "published": "2026-07-13T12:35:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6541"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P26R-GFGC-C47H

Vulnerability from github – Published: 2024-10-14 18:30 – Updated: 2024-12-12 17:51
VLAI
Summary
KubeSphere IDOR vulnerability
Details

An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubesphere/kubesphere"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubesphere/kubesphere"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-01T20:35:14Z",
    "nvd_published_at": "2024-10-14T18:15:03Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere v3.4.1 and v4.1.1 allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks.",
  "id": "GHSA-p26r-gfgc-c47h",
  "modified": "2024-12-12T17:51:25Z",
  "published": "2024-10-14T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubesphere/kubesphere/issues/6227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubesphere/kubesphere"
    },
    {
      "type": "WEB",
      "url": "https://kubesphere.io"
    },
    {
      "type": "WEB",
      "url": "https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3248"
    },
    {
      "type": "WEB",
      "url": "https://www.kubesphere.io/news/kubesphere-cve-2024-46528"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "KubeSphere IDOR vulnerability"
}

GHSA-P2V5-84J7-PC37

Vulnerability from github – Published: 2026-07-02 12:30 – Updated: 2026-07-02 12:30
VLAI
Details

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12657"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T10:16:27Z",
    "severity": "MODERATE"
  },
  "details": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.",
  "id": "GHSA-p2v5-84j7-pc37",
  "modified": "2026-07-02T12:30:59Z",
  "published": "2026-07-02T12:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12657"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2VX-QJ66-88Q3

Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 13:40
VLAI
Summary
Escalation of privileges in @sap/xssec
Details

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sap/xssec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-639",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-20T17:57:49Z",
    "nvd_published_at": "2023-12-12T02:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js] @sap/xssec - versions \u003c 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
  "id": "GHSA-p2vx-qj66-88q3",
  "modified": "2024-09-30T13:40:50Z",
  "published": "2023-12-12T03:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49583"
    },
    {
      "type": "WEB",
      "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3411067"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3412456"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3413475"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@sap/xssec"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Escalation of privileges in @sap/xssec"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.