Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3220 vulnerabilities reference this CWE, most recent first.

GHSA-X769-3CWV-F8HC

Vulnerability from github – Published: 2025-07-22 12:30 – Updated: 2025-07-22 14:37
VLAI
Summary
Powermail extension for TYPO3 allows Insecure Direct Object Reference
Details

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "13.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-22T14:37:09Z",
    "nvd_published_at": "2025-07-22T11:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.",
  "id": "GHSA-x769-3cwv-f8hc",
  "modified": "2025-07-22T14:37:09Z",
  "published": "2025-07-22T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/b39e129c5e2a797f0ccf271fea220c7933ca77bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/in2code-de/powermail"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Powermail extension for TYPO3 allows Insecure Direct Object Reference"
}

GHSA-X77X-F67V-G9V4

Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-19 21:30
VLAI
Details

AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-17T20:15:54Z",
    "severity": "HIGH"
  },
  "details": "AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.",
  "id": "GHSA-x77x-f67v-g9v4",
  "modified": "2025-12-19T21:30:17Z",
  "published": "2025-12-17T21:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/4a53ab2056"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/d411f91805"
    },
    {
      "type": "WEB",
      "url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7W7-5275-WM7P

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:37Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system \u003c= 10.30.24 versions.",
  "id": "GHSA-x7w7-5275-wm7p",
  "modified": "2026-06-17T18:35:50Z",
  "published": "2026-06-17T18:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40768"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-24-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7WC-2853-87FV

Vulnerability from github – Published: 2025-10-25 00:30 – Updated: 2025-10-25 00:30
VLAI
Details

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account's security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-24T22:15:40Z",
    "severity": "HIGH"
  },
  "details": "GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference (IDOR) vulnerability via the API. Authenticated requests to the API\u0027s object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the stored password and the account\u0027s security question and answer. The exposed recovery data and encrypted password may be used to reset or take over the target account.",
  "id": "GHSA-x7wc-2853-87fv",
  "modified": "2025-10-25T00:30:39Z",
  "published": "2025-10-25T00:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34293"
    },
    {
      "type": "WEB",
      "url": "https://nne.navigacloud.com/GN4Help/gn4_introduction_to_gn4.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.miles33.com/news/news/5955/naviga--miles-33--acquisition.html"
    },
    {
      "type": "WEB",
      "url": "https://www.miles33.com/section/14/gn4"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/gn4-publishing-system-idor-information-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7X8-RFPP-V489

Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30
VLAI
Details

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T07:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the \u0027truelysell_edit_staff\u0027 shortcode.",
  "id": "GHSA-x7x8-rfpp-v489",
  "modified": "2025-10-16T09:30:24Z",
  "published": "2025-10-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10742"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X847-VXVJ-G6RJ

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 00:00
VLAI
Details

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.",
  "id": "GHSA-x847-vxvj-g6rj",
  "modified": "2022-06-14T00:00:37Z",
  "published": "2022-06-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1949"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2091781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8P6-MR22-V5C9

Vulnerability from github – Published: 2024-03-31 21:30 – Updated: 2026-04-28 21:34
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-31T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in UPQODE Whizz.This issue affects Whizzy: from n/a through 1.1.18.",
  "id": "GHSA-x8p6-mr22-v5c9",
  "modified": "2026-04-28T21:34:29Z",
  "published": "2024-03-31T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30543"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/whizzy/wordpress-whizzy-plugin-1-1-18-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8QQ-M4QC-RPJ5

Vulnerability from github – Published: 2026-07-16 15:33 – Updated: 2026-07-16 15:33
VLAI
Details

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-16T15:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user\u0027s company.",
  "id": "GHSA-x8qq-m4qc-rpj5",
  "modified": "2026-07-16T15:33:11Z",
  "published": "2026-07-16T15:33:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Roskus/prospero-flow-crm/commit/9a859c4de3d49674916773d346c60d89ad7febe0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
    },
    {
      "type": "WEB",
      "url": "https://secur0.com/en/cna/cve-list/cve-2026-59237-idor-in-prospero-flow-crm-order-api-allows-cross-tenant-read-and-modification-of-orders"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X8VJ-X24H-RRFV

Vulnerability from github – Published: 2024-04-24 12:30 – Updated: 2025-02-04 18:30
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-24T11:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9.",
  "id": "GHSA-x8vj-x24h-rrfv",
  "modified": "2025-02-04T18:30:45Z",
  "published": "2024-04-24T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32808"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-plugin-5-7-9-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X974-724G-RVVR

Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 19:00
VLAI
Details

An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab\u0027s Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.",
  "id": "GHSA-x974-724g-rvvr",
  "modified": "2022-10-20T19:00:35Z",
  "published": "2022-10-17T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3331"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1542834"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3331.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/360372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.