CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2020-37008 (GCVE-0-2020-37008)
Vulnerability from cvelistv5 – Published: 2026-01-29 14:28 – Updated: 2026-05-12 20:46
VLAI
Title
EasyPMS 1.0.0 - Authentication Bypass
Summary
EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48858 | exploit |
| https://www.elektraweb.com/en/ | product |
| https://www.vulncheck.com/advisories/easypms-auth… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Elektraweb | EasyPMS |
Affected:
1.0.0
|
Date Public
2020-10-01 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37008",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T15:49:27.205263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:48:36.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48858"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EasyPMS",
"vendor": "Elektraweb",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jok3r"
}
],
"datePublic": "2020-10-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T20:46:24.594Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48858",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48858"
},
{
"name": "Vendor Homepage",
"tags": [
"product"
],
"url": "https://www.elektraweb.com/en/"
},
{
"name": "VulnCheck Advisory: EasyPMS 1.0.0 - Authentication Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/easypms-authentication-bypass"
}
],
"title": "EasyPMS 1.0.0 - Authentication Bypass",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37008",
"datePublished": "2026-01-29T14:28:30.079Z",
"dateReserved": "2026-01-27T15:47:08.001Z",
"dateUpdated": "2026-05-12T20:46:24.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37094 (GCVE-0-2020-37094)
Vulnerability from cvelistv5 – Published: 2026-02-03 22:01 – Updated: 2026-04-07 14:05
VLAI
Title
EspoCRM 5.8.5 - Privilege Escalation
Summary
EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.
Severity
9.8 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48376 | exploit |
| https://www.espocrm.com | product |
| https://www.vulncheck.com/advisories/espocrm-priv… | third-party-advisory |
Date Public
2020-04-24 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37094",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:36:20.554721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:36:48.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EspoCRM",
"vendor": "EspoCRM",
"versions": [
{
"status": "affected",
"version": "5.8.5"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espocrm:espocrm:5.8.5:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Besim ALTINOK, \u0130smail BOZKURT"
}
],
"datePublic": "2020-04-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:05:15.929Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48376",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48376"
},
{
"name": "EspoCRM Official Vendor Homepage",
"tags": [
"product"
],
"url": "https://www.espocrm.com"
},
{
"name": "VulnCheck Advisory: EspoCRM 5.8.5 - Privilege Escalation",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/espocrm-privilege-escalation"
}
],
"title": "EspoCRM 5.8.5 - Privilege Escalation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37094",
"datePublished": "2026-02-03T22:01:52.861Z",
"dateReserved": "2026-02-01T13:16:06.487Z",
"dateUpdated": "2026-04-07T14:05:15.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-8154 (GCVE-0-2020-8154)
Vulnerability from cvelistv5 – Published: 2020-05-12 13:01 – Updated: 2024-08-04 09:48
VLAI
Summary
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
Severity
No CVSS data available.
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR) (CWE-639)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/819807 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Server |
Affected:
18.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/819807"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-018"
},
{
"name": "openSUSE-SU-2020:0667",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html"
},
{
"name": "openSUSE-SU-2020:0668",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html"
},
{
"name": "openSUSE-SU-2020:0670",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html"
},
{
"name": "openSUSE-SU-2020:1652",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"name": "FEDORA-2020-c9863904de",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "18.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-19T18:06:18.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/819807"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-018"
},
{
"name": "openSUSE-SU-2020:0667",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html"
},
{
"name": "openSUSE-SU-2020:0668",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html"
},
{
"name": "openSUSE-SU-2020:0670",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html"
},
{
"name": "openSUSE-SU-2020:1652",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"name": "FEDORA-2020-c9863904de",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server",
"version": {
"version_data": [
{
"version_value": "18.0.3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/819807",
"refsource": "MISC",
"url": "https://hackerone.com/reports/819807"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-018",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-018"
},
{
"name": "openSUSE-SU-2020:0667",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html"
},
{
"name": "openSUSE-SU-2020:0668",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html"
},
{
"name": "openSUSE-SU-2020:0670",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html"
},
{
"name": "openSUSE-SU-2020:1652",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"name": "FEDORA-2020-c9863904de",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8154",
"datePublished": "2020-05-12T13:01:26.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:48:25.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8235 (GCVE-0-2020-8235)
Vulnerability from cvelistv5 – Published: 2020-10-05 13:16 – Updated: 2024-08-04 09:56
VLAI
Summary
Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments.
Severity
No CVSS data available.
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR) (CWE-639)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/916704 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Deck app |
Affected:
Fixed in 1.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/916704"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-036"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Deck app",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-05T13:16:08.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/916704"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-036"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Deck app",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.0.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/916704",
"refsource": "MISC",
"url": "https://hackerone.com/reports/916704"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-036",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-036"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8235",
"datePublished": "2020-10-05T13:16:08.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8297 (GCVE-0-2020-8297)
Vulnerability from cvelistv5 – Published: 2021-02-23 18:28 – Updated: 2024-08-04 09:56
VLAI
Summary
Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user.
Severity
No CVSS data available.
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR) (CWE-639)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/882258 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
| https://github.com/nextcloud/deck/pull/1976 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Nextcloud Deck |
Affected:
Fixed in 1.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/882258"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/deck/pull/1976"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Deck",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-23T18:28:59.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/882258"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/pull/1976"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8297",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Deck",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.0.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/882258",
"refsource": "MISC",
"url": "https://hackerone.com/reports/882258"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"
},
{
"name": "https://github.com/nextcloud/deck/pull/1976",
"refsource": "MISC",
"url": "https://github.com/nextcloud/deck/pull/1976"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8297",
"datePublished": "2021-02-23T18:28:59.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21012 (GCVE-0-2021-21012)
Vulnerability from cvelistv5 – Published: 2021-01-13 22:35 – Updated: 2024-09-16 17:33
VLAI
Title
Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure
Summary
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.1
(custom)
Affected: unspecified , ≤ 2.4.0-p1 (custom) Affected: unspecified , ≤ 2.3.6 (custom) Affected: unspecified , ≤ None (custom) |
Date Public
2021-02-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.0-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-17T21:00:03.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
"ID": "CVE-2021-21012",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.1"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.0-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.6"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "None",
"attackVector": "None",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "None",
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-21012",
"datePublished": "2021-01-13T22:35:38.509Z",
"dateReserved": "2020-12-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:33:28.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21022 (GCVE-0-2021-21022)
Vulnerability from cvelistv5 – Published: 2021-02-11 19:29 – Updated: 2024-09-16 17:57
VLAI
Title
Magento Commerce Incorrect permissions Could Lead To Unauthorized Access
Summary
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/magento… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Adobe | Magento Commerce |
Affected:
unspecified , ≤ 2.4.1
(custom)
Affected: unspecified , ≤ 2.4.0-p1 (custom) Affected: unspecified , ≤ 2.3.6 (custom) Affected: unspecified , ≤ None (custom) |
Date Public
2021-02-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Magento Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.4.0-p1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-11T19:29:31.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
"ID": "CVE-2021-21022",
"STATE": "PUBLIC",
"TITLE": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Magento Commerce",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.1"
},
{
"version_affected": "\u003c=",
"version_value": "2.4.0-p1"
},
{
"version_affected": "\u003c=",
"version_value": "2.3.6"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "None",
"attackVector": "None",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "None",
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2021-21022",
"datePublished": "2021-02-11T19:29:31.371Z",
"dateReserved": "2020-12-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:57:55.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21324 (GCVE-0-2021-21324)
Vulnerability from cvelistv5 – Published: 2021-03-08 17:00 – Updated: 2024-08-03 18:09
VLAI
Title
Insecure Direct Object Reference (IDOR) on "Solutions"
Summary
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with "Users" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts.
Severity
6.8 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/glpi-project/glpi/commit/aade6… | x_refsource_MISC |
| https://github.com/glpi-project/glpi/releases/tag/9.5.4 | x_refsource_MISC |
| https://github.com/glpi-project/glpi/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi |
Affected:
< 9.5.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003c 9.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on \"Solutions\". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket\u0026item_items_id=18\u0026forcetab=Knowbase$1\", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with \"Users\" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-09T16:23:01.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
}
],
"source": {
"advisory": "GHSA-jvwm-gq36-3v7v",
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference (IDOR) on \"Solutions\"",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21324",
"STATE": "PUBLIC",
"TITLE": "Insecure Direct Object Reference (IDOR) on \"Solutions\""
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "glpi",
"version": {
"version_data": [
{
"version_value": "\u003c 9.5.4"
}
]
}
}
]
},
"vendor_name": "glpi-project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on \"Solutions\". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket\u0026item_items_id=18\u0026forcetab=Knowbase$1\", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with \"Users\" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc",
"refsource": "MISC",
"url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/9.5.4",
"refsource": "MISC",
"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
},
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v",
"refsource": "CONFIRM",
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
}
]
},
"source": {
"advisory": "GHSA-jvwm-gq36-3v7v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21324",
"datePublished": "2021-03-08T17:00:33.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:15.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22951 (GCVE-0-2021-22951)
Vulnerability from cvelistv5 – Published: 2021-11-19 18:10 – Updated: 2024-08-03 18:58
VLAI
Summary
Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: "Solar Security Research Team"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0
Severity
No CVSS data available.
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR) (CWE-639)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://documentation.concretecms.org/developers/… | x_refsource_MISC |
| https://hackerone.com/reports/1102014 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | https://github.com/concrete5/concrete5 |
Affected:
Fixed version Concrete CMS 8.5.7 and 9.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1102014"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/concrete5/concrete5",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed version Concrete CMS 8.5.7 and 9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: \"Solar Security Research Team\"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T18:10:14.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1102014"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2021-22951",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Fixed version Concrete CMS 8.5.7 and 9.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: \"Solar Security Research Team\"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes",
"refsource": "MISC",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"name": "https://hackerone.com/reports/1102014",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1102014"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22951",
"datePublished": "2021-11-19T18:10:14.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:58:26.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22967 (GCVE-0-2021-22967)
Vulnerability from cvelistv5 – Published: 2021-11-19 18:11 – Updated: 2024-08-03 18:58
VLAI
Summary
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H
Severity
No CVSS data available.
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR) (CWE-639)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://documentation.concretecms.org/developers/… | x_refsource_MISC |
| https://hackerone.com/reports/869612 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | https://github.com/concrete5/concrete5 |
Affected:
Affected version - Concrete 8.5.6 and below. Fixed version 9.0 and 8.5.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:58:26.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/869612"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/concrete5/concrete5",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Affected version - Concrete 8.5.6 and below. Fixed version 9.0 and 8.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in \"add / edit message\u201d.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T18:11:07.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/869612"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2021-22967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/concrete5/concrete5",
"version": {
"version_data": [
{
"version_value": "Affected version - Concrete 8.5.6 and below. Fixed version 9.0 and 8.5.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in \"add / edit message\u201d.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes",
"refsource": "MISC",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
},
{
"name": "https://hackerone.com/reports/869612",
"refsource": "MISC",
"url": "https://hackerone.com/reports/869612"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2021-22967",
"datePublished": "2021-11-19T18:11:07.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:58:26.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.