CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3254 vulnerabilities reference this CWE, most recent first.
GHSA-Q99X-8M74-3V3X
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-18 00:00An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-29008"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T14:15:00Z",
"severity": "HIGH"
},
"details": "An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.",
"id": "GHSA-q99x-8m74-3v3x",
"modified": "2022-05-18T00:00:26Z",
"published": "2022-05-12T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29008"
},
{
"type": "WEB",
"url": "https://github.com/sudoninja-noob/CVE-2022-29008/blob/main/CVE-2022-29008.txt"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50263"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9G5-GJ6C-J62W
Vulnerability from github – Published: 2026-07-08 15:31 – Updated: 2026-07-08 15:31The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to activate a free subscription pack for any user on the site, overwriting their existing paid subscription and causing loss of paid features.
{
"affected": [],
"aliases": [
"CVE-2026-5459"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T13:16:56Z",
"severity": "MODERATE"
},
"details": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the payment_page() function due to missing validation on the \u0027user_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to activate a free subscription pack for any user on the site, overwriting their existing paid subscription and causing loss of paid features.",
"id": "GHSA-q9g5-gj6c-j62w",
"modified": "2026-07-08T15:31:59Z",
"published": "2026-07-08T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5459"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a02d9a01-1104-4935-8074-af4367c66278?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9GP-XH68-XX23
Vulnerability from github – Published: 2024-07-19 12:31 – Updated: 2024-07-19 18:31The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts.
{
"affected": [],
"aliases": [
"CVE-2024-5977"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T11:15:03Z",
"severity": "MODERATE"
},
"details": "The GiveWP \u2013 Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the \u0027handleRequest\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts.",
"id": "GHSA-q9gp-xh68-xx23",
"modified": "2024-07-19T18:31:21Z",
"published": "2024-07-19T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5977"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/give/trunk/src/DonationForms/V2/Endpoints/FormActions.php#L96"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3120745"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2dca6c29-9f05-4d82-90e3-834f1dd8005a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QC4C-HRMC-4F78
Vulnerability from github – Published: 2026-05-29 21:54 – Updated: 2026-06-09 10:35Summary
An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folder_uuid URL parameter — not the file's actual parent folder. The file_delete handler then only verifies view rights on the file's real location, never upload rights. By passing a folder they legitimately own in folder_uuid while targeting a file in a restricted folder via file_uuid, an attacker bypasses the upload-right check entirely and permanently deletes the file.
This is an incomplete fix of GHSA-rmpj-3x5m-9m5f, which was patched in v5.0.7 but remains exploitable in v5.0.9.
Affected Version: Admidio v5.0.9
Details
Root Cause File: modules/documents-files.php
Issue 1 — folder_uuid is not required for file_delete mode (line 67):
$getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid', array(
'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download'))
));
Issue 2 — The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file's actual parent folder (lines 79–88):
if ($getMode != 'list' && $getMode != 'download') {
$folder = new Folder($gDb);
$folder->getFolderForDownload($getFolderUUID); // uses attacker-supplied UUID
if (!$folder->hasUploadRight()) {
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
}
}
Issue 3 — The file_delete handler only checks view rights via getFileForDownload(). Upload rights on the file's actual folder are never verified (lines 165–178):
case 'file_delete':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$file = new File($gDb);
$file->getFileForDownload($getFileUUID); // view-only check, not upload
$file->delete();
echo json_encode(array('status' => 'success'));
break;
File::getFileForDownload() in src/Documents/Entity/File.php checks only view-role membership — it never verifies upload rights.
Attack Scenario
- The organization has two folders:
PrivateFolder(role A: view-only) andUploadFolder(role A: upload + view). - Attacker is a member of role A — they have legitimate upload access to
UploadFolderonly. - Attacker enumerates a file UUID in
PrivateFolderusingfile_listmode, which is accessible to anyone with view rights. - Attacker sends a
file_deletePOST usingUploadFolder's UUID infolder_uuidand thePrivateFolderfile UUID infile_uuid. - Server checks upload rights against
UploadFolder→ passes. - Server deletes the file from
PrivateFolderwithout ever checking upload rights there.
Prerequisites:
- Authenticated Admidio member account
- Upload rights on at least one folder (legitimately assigned)
- View rights on the target folder (sufficient to enumerate file UUIDs via
file_listmode) - Knowledge of a target file UUID (obtainable from the folder listing)
PoC
Step 1 — Authenticate and obtain login CSRF token:
curl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php > /tmp/login.html
LOGIN_CSRF=$(grep -o 'name="adm_csrf_token"[^>]*value="[^"]*"' /tmp/login.html \
| grep -o 'value="[^"]*"' | cut -d'"' -f2)
curl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \
-X POST "http://TARGET/system/login.php?mode=check" \
-d "usr_login_name=MEMBER&usr_password=PASSWORD&adm_csrf_token=${LOGIN_CSRF}"
Step 2 — Extract authenticated session CSRF token:
AUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \
"http://TARGET/system/file_upload.php?module=documents_files&uuid=UPLOAD_FOLDER_UUID" \
| grep -oP 'name:\s*"adm_csrf_token",\s*value:\s*"\K[^"]+')
Step 3 — Delete file from restricted folder using the upload folder UUID as bypass:
curl -b /tmp/admidio_cookies.txt \
-X POST "http://TARGET/modules/documents-files.php?mode=file_delete&file_uuid=PRIVATE_FILE_UUID&folder_uuid=UPLOAD_FOLDER_UUID" \
-d "adm_csrf_token=${AUTH_CSRF}"
Expected response: {"status":"success"}
testmember holds upload rights only on UploadFolder. secret2.txt (UUID 93dc6280-...-bba7-...) resided in PrivateFolder and was permanently deleted from both the database and filesystem.
Impact
An authenticated Admidio member with legitimate upload access to any one folder can permanently delete files from any other folder to which they have view access — without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.
Business Impact: Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.
Remediation
In the file_delete handler, after loading the file via getFileForDownload(), verify upload rights against the file's actual parent folder — not the URL-supplied folder_uuid:
case 'file_delete':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$file = new File($gDb);
$file->getFileForDownload($getFileUUID);
// Verify upload rights on the file's actual parent folder
$parentFolder = new Folder($gDb);
$parentFolder->readDataById((int)$file->getValue('fil_fol_id'));
if (!$parentFolder->hasUploadRight()) {
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
}
$file->delete();
echo json_encode(array('status' => 'success'));
break;
Alternative fix: Remove the top-level folder_uuid check for file_delete entirely and move a proper upload-rights verification into the file_delete case as the sole authority for authorization.
Defense-in-depth recommendations:
- Audit all other modes in
documents-files.php(e.g.,folder_delete,file_rename) for the same pattern of trustingfolder_uuidfrom the URL instead of the resource's actual parent. - Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.
- Consider centralizing authorization in a single helper (e.g.,
assertUploadRightOnFile($fileUuid)) to eliminate the URL-parameter trust-boundary issue across the codebase.
Credits
- Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher & Penetration Tester
- Disclosure: Responsible disclosure to Admidio maintainers
References
- GHSA-rmpj-3x5m-9m5f — Prior incomplete fix, patched in v5.0.7
- CWE-862: Missing Authorization
- CWE-639: Authorization Bypass Through User-Controlled Key
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.9"
},
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47226"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T21:54:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nAn authenticated Admidio member with upload rights on **any one folder** can permanently delete files from folders where they have only view access. The authorization check at the top of `modules/documents-files.php` evaluates upload rights against the attacker-supplied `folder_uuid` URL parameter \u2014 not the file\u0027s actual parent folder. The `file_delete` handler then only verifies view rights on the file\u0027s real location, never upload rights. By passing a folder they legitimately own in `folder_uuid` while targeting a file in a restricted folder via `file_uuid`, an attacker bypasses the upload-right check entirely and permanently deletes the file.\n\nThis is an **incomplete fix** of [GHSA-rmpj-3x5m-9m5f](https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f), which was patched in v5.0.7 but remains exploitable in v5.0.9.\n\n**Affected Version:** Admidio v5.0.9 \n\n---\n\n### Details\n\n**Root Cause File:** `modules/documents-files.php`\n\n**Issue 1 \u2014 `folder_uuid` is not required for `file_delete` mode (line 67):**\n\n```php\n$getFolderUUID = admFuncVariableIsValid($_GET, \u0027folder_uuid\u0027, \u0027uuid\u0027, array(\n \u0027requireValue\u0027 =\u003e !in_array($getMode, array(\u0027list\u0027, \u0027file_delete\u0027, \u0027download\u0027))\n));\n```\n\n**Issue 2 \u2014 The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file\u0027s actual parent folder (lines 79\u201388):**\n\n```php\nif ($getMode != \u0027list\u0027 \u0026\u0026 $getMode != \u0027download\u0027) {\n $folder = new Folder($gDb);\n $folder-\u003egetFolderForDownload($getFolderUUID); // uses attacker-supplied UUID\n if (!$folder-\u003ehasUploadRight()) {\n $gMessage-\u003eshow($gL10n-\u003eget(\u0027SYS_NO_RIGHTS\u0027));\n }\n}\n```\n\n**Issue 3 \u2014 The `file_delete` handler only checks view rights via `getFileForDownload()`. Upload rights on the file\u0027s actual folder are never verified (lines 165\u2013178):**\n\n```php\ncase \u0027file_delete\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n $file = new File($gDb);\n $file-\u003egetFileForDownload($getFileUUID); // view-only check, not upload\n $file-\u003edelete();\n echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n break;\n```\n\n`File::getFileForDownload()` in `src/Documents/Entity/File.php` checks only view-role membership \u2014 it never verifies upload rights.\n\n---\n\n### Attack Scenario\n\n1. The organization has two folders: `PrivateFolder` (role A: view-only) and `UploadFolder` (role A: upload + view).\n2. Attacker is a member of role A \u2014 they have legitimate upload access to `UploadFolder` only.\n3. Attacker enumerates a file UUID in `PrivateFolder` using `file_list` mode, which is accessible to anyone with view rights.\n4. Attacker sends a `file_delete` POST using `UploadFolder`\u0027s UUID in `folder_uuid` and the `PrivateFolder` file UUID in `file_uuid`.\n5. Server checks upload rights against `UploadFolder` \u2192 **passes**.\n6. Server deletes the file from `PrivateFolder` **without ever checking upload rights there**.\n\n**Prerequisites:**\n\n- Authenticated Admidio member account\n- Upload rights on at least one folder (legitimately assigned)\n- View rights on the target folder (sufficient to enumerate file UUIDs via `file_list` mode)\n- Knowledge of a target file UUID (obtainable from the folder listing)\n\n---\n\n### PoC\n\n**Step 1 \u2014 Authenticate and obtain login CSRF token:**\n\n```bash\ncurl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php \u003e /tmp/login.html\n\nLOGIN_CSRF=$(grep -o \u0027name=\"adm_csrf_token\"[^\u003e]*value=\"[^\"]*\"\u0027 /tmp/login.html \\\n | grep -o \u0027value=\"[^\"]*\"\u0027 | cut -d\u0027\"\u0027 -f2)\n\ncurl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \\\n -X POST \"http://TARGET/system/login.php?mode=check\" \\\n -d \"usr_login_name=MEMBER\u0026usr_password=PASSWORD\u0026adm_csrf_token=${LOGIN_CSRF}\"\n```\n\n**Step 2 \u2014 Extract authenticated session CSRF token:**\n\n```bash\nAUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \\\n \"http://TARGET/system/file_upload.php?module=documents_files\u0026uuid=UPLOAD_FOLDER_UUID\" \\\n | grep -oP \u0027name:\\s*\"adm_csrf_token\",\\s*value:\\s*\"\\K[^\"]+\u0027)\n```\n\n**Step 3 \u2014 Delete file from restricted folder using the upload folder UUID as bypass:**\n\n```bash\ncurl -b /tmp/admidio_cookies.txt \\\n -X POST \"http://TARGET/modules/documents-files.php?mode=file_delete\u0026file_uuid=PRIVATE_FILE_UUID\u0026folder_uuid=UPLOAD_FOLDER_UUID\" \\\n -d \"adm_csrf_token=${AUTH_CSRF}\"\n```\n\n**Expected response:** `{\"status\":\"success\"}`\n\n`testmember` holds upload rights **only** on `UploadFolder`. `secret2.txt` (UUID `93dc6280-...-bba7-...`) resided in `PrivateFolder` and was permanently deleted from both the database and filesystem.\n\n---\n\n### Impact\n\nAn authenticated Admidio member with legitimate upload access to **any one folder** can permanently delete files from **any other folder** to which they have view access \u2014 without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.\n\n**Business Impact:** Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.\n\n---\n\n### Remediation\n\nIn the `file_delete` handler, after loading the file via `getFileForDownload()`, verify upload rights against the file\u0027s **actual parent folder** \u2014 not the URL-supplied `folder_uuid`:\n\n```php\ncase \u0027file_delete\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n $file = new File($gDb);\n $file-\u003egetFileForDownload($getFileUUID);\n // Verify upload rights on the file\u0027s actual parent folder\n $parentFolder = new Folder($gDb);\n $parentFolder-\u003ereadDataById((int)$file-\u003egetValue(\u0027fil_fol_id\u0027));\n if (!$parentFolder-\u003ehasUploadRight()) {\n $gMessage-\u003eshow($gL10n-\u003eget(\u0027SYS_NO_RIGHTS\u0027));\n }\n $file-\u003edelete();\n echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n break;\n```\n\n**Alternative fix:** Remove the top-level `folder_uuid` check for `file_delete` entirely and move a proper upload-rights verification into the `file_delete` case as the sole authority for authorization.\n\n**Defense-in-depth recommendations:**\n\n- Audit all other modes in `documents-files.php` (e.g., `folder_delete`, `file_rename`) for the same pattern of trusting `folder_uuid` from the URL instead of the resource\u0027s actual parent.\n- Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.\n- Consider centralizing authorization in a single helper (e.g., `assertUploadRightOnFile($fileUuid)`) to eliminate the URL-parameter trust-boundary issue across the codebase.\n\n---\n\n### Credits\n\n- Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher \u0026 Penetration Tester\n- Disclosure: Responsible disclosure to Admidio maintainers\n\n---\n\n### References\n\n- [GHSA-rmpj-3x5m-9m5f](https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f) \u2014 Prior incomplete fix, patched in v5.0.7\n- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)",
"id": "GHSA-qc4c-hrmc-4f78",
"modified": "2026-06-09T10:35:01Z",
"published": "2026-05-29T21:54:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-qc4c-hrmc-4f78"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges"
}
GHSA-QC5P-3MG5-9FH8
Vulnerability from github – Published: 2026-04-24 16:11 – Updated: 2026-06-08 23:17Summary
A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.
Details
The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.
Vulnerable Code
def action_class
# It searches through ALL descendants of BaseAction without resource validation
Avo::BaseAction.descendants.find do |action|
action.to_s == params[:action_id]
end
end
The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).
Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.
Impact
This flaw results in significant security risks:
- Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
- Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
- Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.
Proof of Concept (PoC)
Steps to Reproduce:
- Log in to the Avo admin panel with limited permissions.
- Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g.,
Avo::Actions::ToggleAdmin). - Send a POST request to a resource endpoint where the target action is not registered:
- URL:
POST /admin/resources/posts/actions - Payload:
action_id=Avo::Actions::ToggleAdmin&fields[avo_resource_ids]=1
- URL:
- The server executes the
ToggleAdminlogic on User 1, even though the request was made through thepostsresource context.
PoC Script Snippet:
# Simulating the unauthorized action execution
data = {
'action_id': 'Avo::Actions::ToggleAdmin',
'fields[avo_resource_ids]': '1', # Target Record ID
'authenticity_token': csrf_token
}
response = session.post(f"{BASE_URL}/admin/resources/posts/actions", data=data)
Remediation
Restrict the action lookup to only those actions explicitly registered for the current resource context:
def action_class
# Validate that the action is registered for the current resource
@resource.get_actions.find do |action|
action.to_s == params[:action_id]
end
end
Discoverer
Illunight
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "avo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.31.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42205"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:11:28Z",
"nvd_published_at": "2026-05-08T22:16:31Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.\n\n### Details\n\nThe vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`.\n\n#### Vulnerable Code\n\n```ruby\ndef action_class\n # It searches through ALL descendants of BaseAction without resource validation\n Avo::BaseAction.descendants.find do |action|\n action.to_s == params[:action_id]\n end\nend\n```\n\nThe controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`).\n\nConsequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping.\n\n### Impact\n\nThis flaw results in significant security risks:\n\n- **Privilege Escalation:** An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others\u0027 permissions.\n- **Unauthorized Operations:** Actions designed for restricted resources can be triggered against any record ID in the database.\n- **Data Integrity Compromise:** Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.\n\n### Proof of Concept (PoC)\n\n**Steps to Reproduce:**\n\n01. Log in to the Avo admin panel with limited permissions.\n02. Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., `Avo::Actions::ToggleAdmin`).\n03. Send a POST request to a resource endpoint where the target action is not registered:\n - **URL:** `POST /admin/resources/posts/actions`\n - **Payload:** `action_id=Avo::Actions::ToggleAdmin\u0026fields[avo_resource_ids]=1`\n04. The server executes the `ToggleAdmin` logic on User 1, even though the request was made through the `posts` resource context.\n\n**PoC Script Snippet:**\n\n```python\n# Simulating the unauthorized action execution\ndata = {\n \u0027action_id\u0027: \u0027Avo::Actions::ToggleAdmin\u0027,\n \u0027fields[avo_resource_ids]\u0027: \u00271\u0027, # Target Record ID\n \u0027authenticity_token\u0027: csrf_token\n}\nresponse = session.post(f\"{BASE_URL}/admin/resources/posts/actions\", data=data)\n```\n\n### Remediation\n\nRestrict the action lookup to only those actions explicitly registered for the current resource context:\n\n```ruby\ndef action_class\n # Validate that the action is registered for the current resource\n @resource.get_actions.find do |action|\n action.to_s == params[:action_id]\n end\nend\n```\n\n### Discoverer\n\nIllunight",
"id": "GHSA-qc5p-3mg5-9fh8",
"modified": "2026-06-08T23:17:53Z",
"published": "2026-04-24T16:11:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42205"
},
{
"type": "PACKAGE",
"url": "https://github.com/avo-hq/avo"
},
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/releases/tag/v3.31.2"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-42205.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources"
}
GHSA-QC7R-9GXQ-W2HJ
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2026-06-05 15:32Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025.
{
"affected": [],
"aliases": [
"CVE-2025-7355"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T13:16:12Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025.",
"id": "GHSA-qc7r-9gxq-w2hj",
"modified": "2026-06-05T15:32:04Z",
"published": "2025-09-16T15:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7355"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0255"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCF5-M2C6-89F2
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:45usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4798"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:57:20Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.",
"id": "GHSA-qcf5-m2c6-89f2",
"modified": "2023-01-10T15:45:55Z",
"published": "2022-12-28T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4798"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/e12eed25-1a8e-4ee1-b846-2d4df1db2fae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos Improper Authorization vulnerability"
}
GHSA-QCF7-52W8-GP39
Vulnerability from github – Published: 2024-12-13 09:31 – Updated: 2024-12-13 09:31The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.
{
"affected": [],
"aliases": [
"CVE-2024-11275"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T09:15:04Z",
"severity": "MODERATE"
},
"details": "The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.",
"id": "GHSA-qcf7-52w8-gp39",
"modified": "2024-12-13T09:31:13Z",
"published": "2024-12-13T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11275"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/timetics/trunk/core/customers/api-customer.php#L308"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3206505%40timetics\u0026new=3206505%40timetics\u0026sfp_email=\u0026sfph_mail=#file199"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d68e250e-d850-4100-81db-3e3c48a3a4a1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCFF-576G-HQPP
Vulnerability from github – Published: 2023-10-11 15:30 – Updated: 2024-04-04 08:34An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12.
{
"affected": [],
"aliases": [
"CVE-2023-45396"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-11T14:15:09Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12.",
"id": "GHSA-qcff-576g-hqpp",
"modified": "2024-04-04T08:34:02Z",
"published": "2023-10-11T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45396"
},
{
"type": "WEB",
"url": "https://github.com/strik3r0x1/Vulns/blob/main/%28IDOR%29%20leads%20to%20events%20profiles%20access%20-%20Elenos.md"
},
{
"type": "WEB",
"url": "https://github.com/strik3r0x1/Vulns/blob/main/(IDOR)%20leads%20to%20events%20profiles%20access%20-%20Elenos.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCJ5-MP4W-93GP
Vulnerability from github – Published: 2026-07-10 09:31 – Updated: 2026-07-10 09:31The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site — including forms owned by administrators — by supplying an arbitrary form ID in the REST URL.
{
"affected": [],
"aliases": [
"CVE-2026-12400"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T09:16:52Z",
"severity": "MODERATE"
},
"details": "The FlowForms \u2013 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to modify the content, design, and settings of, as well as publish or revert, any form on the site \u2014 including forms owned by administrators \u2014 by supplying an arbitrary form ID in the REST URL.",
"id": "GHSA-qcj5-mp4w-93gp",
"modified": "2026-07-10T09:31:38Z",
"published": "2026-07-10T09:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12400"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L48"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L493"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L562"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L603"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L654"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/flowforms/tags/1.1.1/includes/class-rest-api.php#L694"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3577870%40flowforms\u0026new=3577870%40flowforms"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4e6133-f833-4da2-af4a-e7e7fcedfe3c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.