CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3254 vulnerabilities reference this CWE, most recent first.
GHSA-PWRF-Q7H8-JJR7
Vulnerability from github – Published: 2019-11-08 20:06 – Updated: 2021-05-10 17:22In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16403"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2019-09-25T12:47:46Z",
"nvd_published_at": "2019-09-18T12:15:00Z",
"severity": "MODERATE"
},
"details": "In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.",
"id": "GHSA-pwrf-q7h8-jjr7",
"modified": "2021-05-10T17:22:09Z",
"published": "2019-11-08T20:06:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16403"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/issues/749"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass Through User-Controlled Key in Bagisto"
}
GHSA-PWW3-X2G7-X8Q2
Vulnerability from github – Published: 2024-04-12 00:30 – Updated: 2024-04-12 21:26An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "reportico-web/reportico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48865"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-12T21:26:13Z",
"nvd_published_at": "2024-04-11T22:15:13Z",
"severity": "MODERATE"
},
"details": "An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.",
"id": "GHSA-pww3-x2g7-x8q2",
"modified": "2024-04-12T21:26:13Z",
"published": "2024-04-12T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48865"
},
{
"type": "WEB",
"url": "https://github.com/reportico-web/reportico/issues/51"
},
{
"type": "WEB",
"url": "https://gist.github.com/aashiqahamedn/39383cfbc639cbdc3e1a7d74b977aeae"
},
{
"type": "PACKAGE",
"url": "https://github.com/reportico-web/reportico"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Reportico affected by Incorrect Access Control"
}
GHSA-PWW7-G5G9-2865
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.
{
"affected": [],
"aliases": [
"CVE-2025-58012"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:02Z",
"severity": "LOW"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.",
"id": "GHSA-pww7-g5g9-2865",
"modified": "2026-04-01T18:36:13Z",
"published": "2025-09-22T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58012"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PX32-V334-CGRW
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied form_id query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
{
"affected": [],
"aliases": [
"CVE-2026-5396"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:24Z",
"severity": "HIGH"
},
"details": "The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.",
"id": "GHSA-px32-v334-cgrw",
"modified": "2026-05-14T06:31:33Z",
"published": "2026-05-14T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5396"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/fluentform/tags/6.1.21/app/Http/Policies/SubmissionPolicy.php\u0026new_path=/fluentform/tags/6.2.0/app/Http/Policies/SubmissionPolicy.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX6J-WC84-GWHF
Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2025-11-28 21:31Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
{
"affected": [],
"aliases": [
"CVE-2025-65672"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T19:15:47Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.",
"id": "GHSA-px6j-wc84-gwhf",
"modified": "2025-11-28T21:31:18Z",
"published": "2025-11-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65672"
},
{
"type": "WEB",
"url": "https://github.com/Rivek619/CVE-2025-65672"
},
{
"type": "WEB",
"url": "https://github.com/classroomio/classroomio"
},
{
"type": "WEB",
"url": "http://classroomio.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXRF-6XC9-MC6J
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2024-03-21 03:33An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.
{
"affected": [],
"aliases": [
"CVE-2020-9384"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.",
"id": "GHSA-pxrf-6xc9-mc6j",
"modified": "2024-03-21T03:33:54Z",
"published": "2022-05-24T17:14:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9384"
},
{
"type": "WEB",
"url": "https://www.subex.com/partner-settlement"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/157197/Subex-ROC-Partner-Settlement-10.5-Insecure-Direct-Object-Reference.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q25C-R482-77P9
Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2025-03-19 14:58An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "10.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47047"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T21:29:11Z",
"nvd_published_at": "2024-09-17T14:15:17Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.",
"id": "GHSA-q25c-r482-77p9",
"modified": "2025-03-19T14:58:20Z",
"published": "2024-09-17T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47047"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/powermail"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "powermail TYPO3 extension has Insecure Direct Object Reference"
}
GHSA-Q267-QX6F-JXQX
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31An unauthenticated attacker can obtain EV charger energy consumption information of other users.
{
"affected": [],
"aliases": [
"CVE-2025-31950"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:27Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker can obtain EV charger energy consumption information of other users.",
"id": "GHSA-q267-qx6f-jxqx",
"modified": "2025-04-16T00:31:38Z",
"published": "2025-04-16T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31950"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q287-HPW8-Q93X
Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2025-02-13 21:31Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.
{
"affected": [],
"aliases": [
"CVE-2023-0967"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-05T20:15:00Z",
"severity": "MODERATE"
},
"details": "Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.",
"id": "GHSA-q287-hpw8-q93x",
"modified": "2025-02-13T21:31:42Z",
"published": "2023-04-05T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0967"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/ingrosso"
},
{
"type": "WEB",
"url": "https://github.com/IMA-WorldHealth/bhima"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q28V-664F-Q6WJ
Vulnerability from github – Published: 2025-07-14 19:24 – Updated: 2025-07-22 18:33Impact
An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.
[!TIP] If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting
ALLOW_PUBLIC_USER_SEARCHin our documentation.
Patches
You should to update to Indico 3.3.7 as soon as possible. See the docs for instructions on how to update.
Workarounds
It is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.
For more information
If you have any questions or comments about this advisory:
- Open a thread in our forum
- Email us privately at indico-team@cern.ch
Credits
This vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa). The research and testing were performed by a security researcher working under RNP’s authorization and coordination. Special acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indico"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
},
{
"fixed": "3.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53640"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-14T19:24:03Z",
"nvd_published_at": "2025-07-14T21:15:27Z",
"severity": "MODERATE"
},
"details": "### Impact\nAn endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.\n\n\u003e [!TIP]\n\u003e If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting [`ALLOW_PUBLIC_USER_SEARCH`](https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH) in our documentation.\n\n### Patches\nYou should to update to [Indico 3.3.7](https://github.com/indico/indico/releases/tag/v3.3.7) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nIt is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)\n\n#### Credits\nThis vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa).\nThe research and testing were performed by a security researcher working under RNP\u2019s authorization and coordination.\nSpecial acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.",
"id": "GHSA-q28v-664f-q6wj",
"modified": "2025-07-22T18:33:40Z",
"published": "2025-07-14T19:24:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53640"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1"
},
{
"type": "WEB",
"url": "https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH"
},
{
"type": "WEB",
"url": "https://docs.getindico.io/en/stable/installation/upgrade"
},
{
"type": "PACKAGE",
"url": "https://github.com/indico/indico"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/releases/tag/v3.3.7"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Indico vulnerability allows attackers to bulk dump user details"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.