Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

GHSA-Q287-HPW8-Q93X

Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2025-02-13 21:31
VLAI
Details

Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform.",
  "id": "GHSA-q287-hpw8-q93x",
  "modified": "2025-02-13T21:31:42Z",
  "published": "2023-04-05T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0967"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/ingrosso"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IMA-WorldHealth/bhima"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q28V-664F-Q6WJ

Vulnerability from github – Published: 2025-07-14 19:24 – Updated: 2025-07-22 18:33
VLAI
Summary
Indico vulnerability allows attackers to bulk dump user details
Details

Impact

An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.

[!TIP] If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting ALLOW_PUBLIC_USER_SEARCH in our documentation.

Patches

You should to update to Indico 3.3.7 as soon as possible. See the docs for instructions on how to update.

Workarounds

It is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.

For more information

If you have any questions or comments about this advisory:

Credits

This vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa). The research and testing were performed by a security researcher working under RNP’s authorization and coordination. Special acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "3.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T19:24:03Z",
    "nvd_published_at": "2025-07-14T21:15:27Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.\n\n\u003e [!TIP]\n\u003e If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting [`ALLOW_PUBLIC_USER_SEARCH`](https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH) in our documentation.\n\n### Patches\nYou should to update to [Indico 3.3.7](https://github.com/indico/indico/releases/tag/v3.3.7) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nIt is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)\n\n#### Credits\nThis vulnerability was identified during a security assessment conducted as part of the Red Team Residency Program at RNP (Rede Nacional de Ensino e Pesquisa).\nThe research and testing were performed by a security researcher working under RNP\u2019s authorization and coordination.\nSpecial acknowledgment goes to the RNP Security Team, which provided the infrastructure, methodology, and ethical oversight for this work.",
  "id": "GHSA-q28v-664f-q6wj",
  "modified": "2025-07-22T18:33:40Z",
  "published": "2025-07-14T19:24:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53640"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1"
    },
    {
      "type": "WEB",
      "url": "https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH"
    },
    {
      "type": "WEB",
      "url": "https://docs.getindico.io/en/stable/installation/upgrade"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/indico/indico"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.7"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico vulnerability allows attackers to bulk dump user details"
}

GHSA-Q28X-6284-27XQ

Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30
VLAI
Details

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T13:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The HUSKY \u2013 Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the \"woof_add_subscr\" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.",
  "id": "GHSA-q28x-6284-27xq",
  "modified": "2025-12-18T15:30:42Z",
  "published": "2025-12-18T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13110"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3412492/woocommerce-products-filter"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3415428/woocommerce-products-filter"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea2dfc5-0dcc-4ea1-9ade-d59021e078fa?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2F8-HPWM-236J

Vulnerability from github – Published: 2026-07-03 15:31 – Updated: 2026-07-03 15:31
VLAI
Details

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T13:17:30Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u003edelete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users\u0027 calendar events across the platform.",
  "id": "GHSA-q2f8-hpwm-236j",
  "modified": "2026-07-03T15:31:57Z",
  "published": "2026-07-03T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59234"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
    },
    {
      "type": "WEB",
      "url": "https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q2PM-9565-7WM6

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:16:37Z",
    "severity": "HIGH"
  },
  "details": "Custom role Insecure Direct Object References (IDOR) in Projectopia \u003c= 5.1.25.2 versions.",
  "id": "GHSA-q2pm-9565-7wm6",
  "modified": "2026-06-15T21:30:43Z",
  "published": "2026-06-15T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59133"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/projectopia-core/vulnerability/wordpress-projectopia-plugin-5-1-19-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2QC-744P-66R2

Vulnerability from github – Published: 2026-03-29 15:47 – Updated: 2026-03-29 15:47
VLAI
Summary
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
Details

Summary

session_status sessionId resolution bypasses sandboxed session-tree visibility

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: >= 2026.3.11, <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

session_status previously resolved a sessionId to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit sessionKey. Commit d9810811b6c3c9266d7580f00574e5e02f7663de enforces visibility after sessionId resolution so sandboxed callers cannot escape their session tree.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit d9810811b6c3c9266d7580f00574e5e02f7663de.

Fix Commit(s)

  • d9810811b6c3c9266d7580f00574e5e02f7663de
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.3.11"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:47:50Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`session_status` sessionId resolution bypasses sandboxed session-tree visibility\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003e= 2026.3.11, \u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\n`session_status` previously resolved a `sessionId` to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit `sessionKey`. Commit `d9810811b6c3c9266d7580f00574e5e02f7663de` enforces visibility after `sessionId` resolution so sandboxed callers cannot escape their session tree.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d9810811b6c3c9266d7580f00574e5e02f7663de`.\n\n## Fix Commit(s)\n\n- `d9810811b6c3c9266d7580f00574e5e02f7663de`",
  "id": "GHSA-q2qc-744p-66r2",
  "modified": "2026-03-29T15:47:50Z",
  "published": "2026-03-29T15:47:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility"
}

GHSA-Q2XV-553M-PCWQ

Vulnerability from github – Published: 2025-03-08 06:30 – Updated: 2025-03-12 18:32
VLAI
Details

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id). This makes it possible for authenticated attackers, with granted access and above, to update arbitrary post and page content. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-08T06:15:35Z",
    "severity": "MODERATE"
  },
  "details": "The FooGallery \u2013 Responsive Photo Gallery, Image Viewer, Justified, Masonry \u0026 Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id). This makes it possible for authenticated attackers, with granted access and above, to update arbitrary post and page content. This requires the Gallery Creator Role setting to be a value lower than \u0027Editor\u0027 for there to be any real impact.",
  "id": "GHSA-q2xv-553m-pcwq",
  "modified": "2025-03-12T18:32:50Z",
  "published": "2025-03-08T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fooplugins/foogallery/blob/master/includes/admin/class-gallery-attachment-modal.php#L242"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3250684/foogallery/tags/2.4.30/includes/admin/class-gallery-attachment-modal.php?old=3229839\u0026old_path=foogallery%2Ftags%2F2.4.29%2Fincludes%2Fadmin%2Fclass-gallery-attachment-modal.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe3ad9-247f-4e5d-8c79-0970afaa7729?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q32F-R8PM-4X22

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 21:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through <= 2.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through \u003c= 2.1.1.",
  "id": "GHSA-q32f-r8pm-4x22",
  "modified": "2026-01-27T21:31:43Z",
  "published": "2026-01-22T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22407"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q39G-Q5QR-XX67

Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31
VLAI
Details

Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T13:16:21Z",
    "severity": "HIGH"
  },
  "details": "Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the \u2018/app/FrontController\u2019 endpoint, through manipulation of the \u2018employeeID\u2019 parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.",
  "id": "GHSA-q39g-q5qr-xx67",
  "modified": "2026-05-14T15:31:58Z",
  "published": "2026-05-14T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5798"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q3F8-G276-Q49F

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-11T01:32:00Z",
    "severity": "MODERATE"
  },
  "details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.",
  "id": "GHSA-q3f8-g276-q49f",
  "modified": "2022-05-13T01:43:40Z",
  "published": "2022-05-13T01:43:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
    },
    {
      "type": "WEB",
      "url": "https://kanboard.net/news/version-1.0.47"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/04/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.