Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

GHSA-PW86-QVX9-34R7

Vulnerability from github – Published: 2025-09-30 21:31 – Updated: 2025-12-17 00:00
VLAI
Summary
Liferay Portal Vulnerable to IDOR via audit events
Details

Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.security.audit.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.1"
            },
            {
              "fixed": "5.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.security.audit.storage.service"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.4"
            },
            {
              "fixed": "6.0.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-01T15:56:54Z",
    "nvd_published_at": "2025-09-30T19:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the `_com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId` parameter.",
  "id": "GHSA-pw86-qvx9-34r7",
  "modified": "2025-12-17T00:00:18Z",
  "published": "2025-09-30T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/a14427e2338477001f86a9e65fdddb843c319818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/d85c2f24397dcb7d9e51e7bd292dd29268efb132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/f99602a23ce1b3aa12b2625441cfaa17bfbd22b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17938"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Vulnerable to IDOR via audit events"
}

GHSA-PW89-GXGV-MJVM

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-02 18:30
VLAI
Details

Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Instructure Canvas LMS didn\u0027t properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).",
  "id": "GHSA-pw89-gxgv-mjvm",
  "modified": "2023-02-02T18:30:30Z",
  "published": "2023-01-26T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/instructure/canvas-lms/issues/1905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaukas/instructure-canvas-file-oracle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWRF-Q7H8-JJR7

Vulnerability from github – Published: 2019-11-08 20:06 – Updated: 2021-05-10 17:22
VLAI
Summary
Authorization Bypass Through User-Controlled Key in Bagisto
Details

In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-25T12:47:46Z",
    "nvd_published_at": "2019-09-18T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.",
  "id": "GHSA-pwrf-q7h8-jjr7",
  "modified": "2021-05-10T17:22:09Z",
  "published": "2019-11-08T20:06:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/issues/749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in Bagisto"
}

GHSA-PWW3-X2G7-X8Q2

Vulnerability from github – Published: 2024-04-12 00:30 – Updated: 2024-04-12 21:26
VLAI
Summary
Reportico affected by Incorrect Access Control
Details

An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "reportico-web/reportico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T21:26:13Z",
    "nvd_published_at": "2024-04-11T22:15:13Z",
    "severity": "MODERATE"
  },
  "details": "An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.",
  "id": "GHSA-pww3-x2g7-x8q2",
  "modified": "2024-04-12T21:26:13Z",
  "published": "2024-04-12T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reportico-web/reportico/issues/51"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/aashiqahamedn/39383cfbc639cbdc3e1a7d74b977aeae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reportico-web/reportico"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reportico affected by Incorrect Access Control"
}

GHSA-PWW7-G5G9-2865

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T19:16:02Z",
    "severity": "LOW"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.",
  "id": "GHSA-pww7-g5g9-2865",
  "modified": "2026-04-01T18:36:13Z",
  "published": "2025-09-22T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58012"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX32-V334-CGRW

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied form_id query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:24Z",
    "severity": "HIGH"
  },
  "details": "The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.",
  "id": "GHSA-px32-v334-cgrw",
  "modified": "2026-05-14T06:31:33Z",
  "published": "2026-05-14T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5396"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=/fluentform/tags/6.1.21/app/Http/Policies/SubmissionPolicy.php\u0026new_path=/fluentform/tags/6.2.0/app/Http/Policies/SubmissionPolicy.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX6J-WC84-GWHF

Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2025-11-28 21:31
VLAI
Details

Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T19:15:47Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.",
  "id": "GHSA-px6j-wc84-gwhf",
  "modified": "2025-11-28T21:31:18Z",
  "published": "2025-11-26T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Rivek619/CVE-2025-65672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classroomio/classroomio"
    },
    {
      "type": "WEB",
      "url": "http://classroomio.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXRF-6XC9-MC6J

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2024-03-21 03:33
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.",
  "id": "GHSA-pxrf-6xc9-mc6j",
  "modified": "2024-03-21T03:33:54Z",
  "published": "2022-05-24T17:14:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9384"
    },
    {
      "type": "WEB",
      "url": "https://www.subex.com/partner-settlement"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157197/Subex-ROC-Partner-Settlement-10.5-Insecure-Direct-Object-Reference.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q25C-R482-77P9

Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2025-03-19 14:58
VLAI
Summary
powermail TYPO3 extension has Insecure Direct Object Reference
Details

An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "10.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "in2code/powermail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T21:29:11Z",
    "nvd_published_at": "2024-09-17T14:15:17Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.",
  "id": "GHSA-q25c-r482-77p9",
  "modified": "2025-03-19T14:58:20Z",
  "published": "2024-09-17T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/in2code-de/powermail"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "powermail TYPO3 extension has Insecure Direct Object Reference"
}

GHSA-Q267-QX6F-JXQX

Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31
VLAI
Details

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T22:15:27Z",
    "severity": "MODERATE"
  },
  "details": "An unauthenticated attacker can obtain EV charger energy consumption information of other users.",
  "id": "GHSA-q267-qx6f-jxqx",
  "modified": "2025-04-16T00:31:38Z",
  "published": "2025-04-16T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31950"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.