CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3252 vulnerabilities reference this CWE, most recent first.
GHSA-RGW7-RHH8-MGF9
Vulnerability from github – Published: 2025-04-24 21:31 – Updated: 2025-04-25 18:31Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks.
{
"affected": [],
"aliases": [
"CVE-2025-25777"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-24T21:15:23Z",
"severity": "HIGH"
},
"details": "Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user\u0027s profile without proper authentication or authorization checks.",
"id": "GHSA-rgw7-rhh8-mgf9",
"modified": "2025-04-25T18:31:10Z",
"published": "2025-04-24T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25777"
},
{
"type": "WEB",
"url": "https://codeastro.com/bus-ticket-booking-system-in-php-codeigniter-with-source-code"
},
{
"type": "WEB",
"url": "https://github.com/arunmodi/Vulnerability-Research/tree/main/CVE-2025-25777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RH45-2VQ5-CMF2
Vulnerability from github – Published: 2025-11-10 15:31 – Updated: 2025-11-10 15:31In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget
{
"affected": [],
"aliases": [
"CVE-2025-64688"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T14:15:44Z",
"severity": "HIGH"
},
"details": "In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget",
"id": "GHSA-rh45-2vq5-cmf2",
"modified": "2025-11-10T15:31:05Z",
"published": "2025-11-10T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64688"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RH5Q-2GVC-HR3M
Vulnerability from github – Published: 2025-11-01 09:30 – Updated: 2025-11-01 09:30The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-6574"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-01T07:15:35Z",
"severity": "HIGH"
},
"details": "The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
"id": "GHSA-rh5q-2gvc-hr3m",
"modified": "2025-11-01T09:30:17Z",
"published": "2025-11-01T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6574"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/264cb002-bf40-4cc2-9c21-cda9bb24f494?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RH7W-XCQ5-PCFP
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
{
"affected": [],
"aliases": [
"CVE-2017-15211"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-11T01:32:00Z",
"severity": "MODERATE"
},
"details": "In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.",
"id": "GHSA-rh7w-xcq5-pcfp",
"modified": "2022-05-13T01:43:41Z",
"published": "2022-05-13T01:43:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15211"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/074f6c104f3e49401ef0065540338fc2d4be79f0"
},
{
"type": "WEB",
"url": "https://github.com/kanboard/kanboard/commit/3e0f14ae2b0b5a44bd038a472f17eac75f538524"
},
{
"type": "WEB",
"url": "https://kanboard.net/news/version-1.0.47"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/10/04/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RHF5-F553-XG82
Vulnerability from github – Published: 2021-11-23 18:18 – Updated: 2021-11-22 18:22Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22951"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-22T18:21:13Z",
"nvd_published_at": "2021-11-19T19:15:00Z",
"severity": "MODERATE"
},
"details": "Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.",
"id": "GHSA-rhf5-f553-xg82",
"modified": "2021-11-22T18:22:30Z",
"published": "2021-11-23T18:18:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22951"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1102014"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Password exposure in concrete5/core"
}
GHSA-RHMP-R3FW-GGRC
Vulnerability from github – Published: 2024-11-23 06:32 – Updated: 2026-04-08 21:32The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.9 via the Advanced Tabs widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
{
"affected": [],
"aliases": [
"CVE-2024-10868"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-23T04:15:07Z",
"severity": "MODERATE"
},
"details": "The Enter Addons \u2013 Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.9 via the Advanced Tabs widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"id": "GHSA-rhmp-r3fw-ggrc",
"modified": "2026-04-08T21:32:57Z",
"published": "2024-11-23T06:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10868"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3195822%40enteraddons%2Ftrunk\u0026old=3148550%40enteraddons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/enteraddons"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff8e8889-ec02-4b8d-9509-2c6335fdd9a4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RHQ7-G7CH-6MM7
Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-20 15:33Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30.
{
"affected": [],
"aliases": [
"CVE-2025-67919"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T10:15:50Z",
"severity": "HIGH"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through \u003c= 5.4.30.",
"id": "GHSA-rhq7-g7ch-6mm7",
"modified": "2026-01-20T15:33:09Z",
"published": "2026-01-08T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67919"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RJ4P-QC9G-J2P3
Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-05 00:31The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.
{
"affected": [],
"aliases": [
"CVE-2025-13932"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T22:15:47Z",
"severity": "HIGH"
},
"details": "The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.",
"id": "GHSA-rj4p-qc9g-j2p3",
"modified": "2025-12-05T00:31:05Z",
"published": "2025-12-05T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13932"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJV6-GJ2V-MH9H
Vulnerability from github – Published: 2025-05-26 12:30 – Updated: 2025-05-26 12:30A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-5182"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T11:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.",
"id": "GHSA-rjv6-gj2v-mh9h",
"modified": "2025-05-26T12:30:30Z",
"published": "2025-05-26T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5182"
},
{
"type": "WEB",
"url": "https://github.com/Stolichnayer/Summer-Pearl-Group-IDOR-XSS"
},
{
"type": "WEB",
"url": "https://summerpearlgroup.gr/spgpm/releases"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.310270"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.310270"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=0wwuatTa6sU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RM4X-93M8-4QCV
Vulnerability from github – Published: 2024-04-09 15:30 – Updated: 2025-02-07 21:30A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.
Full versions and TV models affected:
webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
{
"affected": [],
"aliases": [
"CVE-2023-6317"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T14:15:07Z",
"severity": "HIGH"
},
"details": "A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.\u00a0\n\nFull versions and TV models affected:\n\nwebOS 4.9.7 - 5.30.40 running on LG43UM7000PLA \nwebOS 5.5.0 - 04.50.51 running on OLED55CXPUA \nwebOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB \u00a0\nwebOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA",
"id": "GHSA-rm4x-93m8-4qcv",
"modified": "2025-02-07T21:30:51Z",
"published": "2024-04-09T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6317"
},
{
"type": "WEB",
"url": "https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/tv#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.