Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3254 vulnerabilities reference this CWE, most recent first.

GHSA-PWRF-Q7H8-JJR7

Vulnerability from github – Published: 2019-11-08 20:06 – Updated: 2021-05-10 17:22
VLAI
Summary
Authorization Bypass Through User-Controlled Key in Bagisto
Details

In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-25T12:47:46Z",
    "nvd_published_at": "2019-09-18T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.",
  "id": "GHSA-pwrf-q7h8-jjr7",
  "modified": "2021-05-10T17:22:09Z",
  "published": "2019-11-08T20:06:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/issues/749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in Bagisto"
}

GHSA-PWW3-X2G7-X8Q2

Vulnerability from github – Published: 2024-04-12 00:30 – Updated: 2024-04-12 21:26
VLAI
Summary
Reportico affected by Incorrect Access Control
Details

An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "reportico-web/reportico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T21:26:13Z",
    "nvd_published_at": "2024-04-11T22:15:13Z",
    "severity": "MODERATE"
  },
  "details": "An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.",
  "id": "GHSA-pww3-x2g7-x8q2",
  "modified": "2024-04-12T21:26:13Z",
  "published": "2024-04-12T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportico-web/reportico/issues/51"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/aashiqahamedn/39383cfbc639cbdc3e1a7d74b977aeae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reportico-web/reportico"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reportico affected by Incorrect Access Control"
}

GHSA-PWW7-G5G9-2865

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T19:16:02Z",
    "severity": "LOW"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.",
  "id": "GHSA-pww7-g5g9-2865",
  "modified": "2026-04-01T18:36:13Z",
  "published": "2025-09-22T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58012"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX32-V334-CGRW

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied form_id query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:24Z",
    "severity": "HIGH"
  },
  "details": "The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.",
  "id": "GHSA-px32-v334-cgrw",
  "modified": "2026-05-14T06:31:33Z",
  "published": "2026-05-14T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5396"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=/fluentform/tags/6.1.21/app/Http/Policies/SubmissionPolicy.php\u0026new_path=/fluentform/tags/6.2.0/app/Http/Policies/SubmissionPolicy.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX6J-WC84-GWHF

Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2025-11-28 21:31
VLAI
Details

Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T19:15:47Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.",
  "id": "GHSA-px6j-wc84-gwhf",
  "modified": "2025-11-28T21:31:18Z",
  "published": "2025-11-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rivek619/CVE-2025-65672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classroomio/classroomio"
    },
    {
      "type": "WEB",
      "url": "http://classroomio.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXRF-6XC9-MC6J

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2024-03-21 03:33
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.",
  "id": "GHSA-pxrf-6xc9-mc6j",
  "modified": "2024-03-21T03:33:54Z",
  "published": "2022-05-24T17:14:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9384"
    },
    {
      "type": "WEB",
      "url": "https://www.subex.com/partner-settlement"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157197/Subex-ROC-Partner-Settlement-10.5-Insecure-Direct-Object-Reference.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q25C-R482-77P9

Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2025-03-19 14:58
VLAI
Summary
powermail TYPO3 extension has Insecure Direct Object Reference
Details

An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "10.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T21:29:11Z",
    "nvd_published_at": "2024-09-17T14:15:17Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.",
  "id": "GHSA-q25c-r482-77p9",
  "modified": "2025-03-19T14:58:20Z",
  "published": "2024-09-17T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/in2code-de/powermail"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "powermail TYPO3 extension has Insecure Direct Object Reference"
}

GHSA-Q267-QX6F-JXQX

Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31
VLAI
Details

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T22:15:27Z",
    "severity": "MODERATE"
  },
  "details": "An unauthenticated attacker can obtain EV charger energy consumption information of other users.",
  "id": "GHSA-q267-qx6f-jxqx",
  "modified": "2025-04-16T00:31:38Z",
  "published": "2025-04-16T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31950"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q287-HPW8-Q93X

Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2025-02-13 21:31
VLAI
Details

Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.",
  "id": "GHSA-q287-hpw8-q93x",
  "modified": "2025-02-13T21:31:42Z",
  "published": "2023-04-05T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0967"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/ingrosso"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IMA-WorldHealth/bhima"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q28V-664F-Q6WJ

Vulnerability from github – Published: 2025-07-14 19:24 – Updated: 2025-07-22 18:33
VLAI
Summary
Indico vulnerability allows attackers to bulk dump user details
Details

Impact

An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.

[!TIP] If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting ALLOW_PUBLIC_USER_SEARCH in our documentation.

Patches

You should to update to Indico 3.3.7 as soon as possible. See the docs for instructions on how to update.

Workarounds

It is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.

For more information

If you have any questions or comments about this advisory:

Credits

This vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa). The research and testing were performed by a security researcher working under RNP’s authorization and coordination. Special acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "3.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T19:24:03Z",
    "nvd_published_at": "2025-07-14T21:15:27Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.\n\n\u003e [!TIP]\n\u003e If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting [`ALLOW_PUBLIC_USER_SEARCH`](https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH) in our documentation.\n\n### Patches\nYou should to update to [Indico 3.3.7](https://github.com/indico/indico/releases/tag/v3.3.7) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nIt is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)\n\n#### Credits\nThis vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa).\nThe research and testing were performed by a security researcher working under RNP\u2019s authorization and coordination.\nSpecial acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.",
  "id": "GHSA-q28v-664f-q6wj",
  "modified": "2025-07-22T18:33:40Z",
  "published": "2025-07-14T19:24:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1"
    },
    {
      "type": "WEB",
      "url": "https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH"
    },
    {
      "type": "WEB",
      "url": "https://docs.getindico.io/en/stable/installation/upgrade"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/indico/indico"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.7"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico vulnerability allows attackers to bulk dump user details"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.