CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3256 vulnerabilities reference this CWE, most recent first.
GHSA-PW86-QVX9-34R7
Vulnerability from github – Published: 2025-09-30 21:31 – Updated: 2025-12-17 00:00Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.portal.security.audit.web"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.1"
},
{
"fixed": "5.0.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.portal.security.audit.storage.service"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.4"
},
{
"fixed": "6.0.41"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43827"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-01T15:56:54Z",
"nvd_published_at": "2025-09-30T19:15:37Z",
"severity": "MODERATE"
},
"details": "Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the `_com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId` parameter.",
"id": "GHSA-pw86-qvx9-34r7",
"modified": "2025-12-17T00:00:18Z",
"published": "2025-09-30T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43827"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/a14427e2338477001f86a9e65fdddb843c319818"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/d85c2f24397dcb7d9e51e7bd292dd29268efb132"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/f99602a23ce1b3aa12b2625441cfaa17bfbd22b6"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17938"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Vulnerable to IDOR via audit events"
}
GHSA-PW89-GXGV-MJVM
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-02 18:30Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).
{
"affected": [],
"aliases": [
"CVE-2021-36539"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:15:00Z",
"severity": "MODERATE"
},
"details": "Instructure Canvas LMS didn\u0027t properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).",
"id": "GHSA-pw89-gxgv-mjvm",
"modified": "2023-02-02T18:30:30Z",
"published": "2023-01-26T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36539"
},
{
"type": "WEB",
"url": "https://github.com/instructure/canvas-lms/issues/1905"
},
{
"type": "WEB",
"url": "https://github.com/gaukas/instructure-canvas-file-oracle"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PWRF-Q7H8-JJR7
Vulnerability from github – Published: 2019-11-08 20:06 – Updated: 2021-05-10 17:22In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "bagisto/bagisto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16403"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2019-09-25T12:47:46Z",
"nvd_published_at": "2019-09-18T12:15:00Z",
"severity": "MODERATE"
},
"details": "In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.",
"id": "GHSA-pwrf-q7h8-jjr7",
"modified": "2021-05-10T17:22:09Z",
"published": "2019-11-08T20:06:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16403"
},
{
"type": "WEB",
"url": "https://github.com/bagisto/bagisto/issues/749"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass Through User-Controlled Key in Bagisto"
}
GHSA-PWW3-X2G7-X8Q2
Vulnerability from github – Published: 2024-04-12 00:30 – Updated: 2024-04-12 21:26An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "reportico-web/reportico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48865"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-12T21:26:13Z",
"nvd_published_at": "2024-04-11T22:15:13Z",
"severity": "MODERATE"
},
"details": "An issue discovered in Reportico Till 8.1.0 allows attackers to obtain sensitive information via execute_mode parameter of the URL.",
"id": "GHSA-pww3-x2g7-x8q2",
"modified": "2024-04-12T21:26:13Z",
"published": "2024-04-12T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48865"
},
{
"type": "WEB",
"url": "https://github.com/reportico-web/reportico/issues/51"
},
{
"type": "WEB",
"url": "https://gist.github.com/aashiqahamedn/39383cfbc639cbdc3e1a7d74b977aeae"
},
{
"type": "PACKAGE",
"url": "https://github.com/reportico-web/reportico"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Reportico affected by Incorrect Access Control"
}
GHSA-PWW7-G5G9-2865
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.
{
"affected": [],
"aliases": [
"CVE-2025-58012"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:02Z",
"severity": "LOW"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Content Mask: from n/a through 1.8.5.2.",
"id": "GHSA-pww7-g5g9-2865",
"modified": "2026-04-01T18:36:13Z",
"published": "2025-09-22T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58012"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/content-mask/vulnerability/wordpress-content-mask-plugin-1-8-5-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PX32-V334-CGRW
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied form_id query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
{
"affected": [],
"aliases": [
"CVE-2026-5396"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:24Z",
"severity": "HIGH"
},
"details": "The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.",
"id": "GHSA-px32-v334-cgrw",
"modified": "2026-05-14T06:31:33Z",
"published": "2026-05-14T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5396"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/fluentform/tags/6.1.21/app/Http/Policies/SubmissionPolicy.php\u0026new_path=/fluentform/tags/6.2.0/app/Http/Policies/SubmissionPolicy.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX6J-WC84-GWHF
Vulnerability from github – Published: 2025-11-26 21:31 – Updated: 2025-11-28 21:31Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
{
"affected": [],
"aliases": [
"CVE-2025-65672"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T19:15:47Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.",
"id": "GHSA-px6j-wc84-gwhf",
"modified": "2025-11-28T21:31:18Z",
"published": "2025-11-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65672"
},
{
"type": "WEB",
"url": "https://github.com/Rivek619/CVE-2025-65672"
},
{
"type": "WEB",
"url": "https://github.com/classroomio/classroomio"
},
{
"type": "WEB",
"url": "http://classroomio.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXRF-6XC9-MC6J
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2024-03-21 03:33An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.
{
"affected": [],
"aliases": [
"CVE-2020-9384"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters.",
"id": "GHSA-pxrf-6xc9-mc6j",
"modified": "2024-03-21T03:33:54Z",
"published": "2022-05-24T17:14:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9384"
},
{
"type": "WEB",
"url": "https://www.subex.com/partner-settlement"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/157197/Subex-ROC-Partner-Settlement-10.5-Insecure-Direct-Object-Reference.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q25C-R482-77P9
Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2025-03-19 14:58An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "10.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "in2code/powermail"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47047"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T21:29:11Z",
"nvd_published_at": "2024-09-17T14:15:17Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.",
"id": "GHSA-q25c-r482-77p9",
"modified": "2025-03-19T14:58:20Z",
"published": "2024-09-17T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47047"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e"
},
{
"type": "WEB",
"url": "https://github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/in2code-de/powermail"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2024-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "powermail TYPO3 extension has Insecure Direct Object Reference"
}
GHSA-Q267-QX6F-JXQX
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31An unauthenticated attacker can obtain EV charger energy consumption information of other users.
{
"affected": [],
"aliases": [
"CVE-2025-31950"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:27Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker can obtain EV charger energy consumption information of other users.",
"id": "GHSA-q267-qx6f-jxqx",
"modified": "2025-04-16T00:31:38Z",
"published": "2025-04-16T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31950"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.