CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3227 vulnerabilities reference this CWE, most recent first.
GHSA-WWGC-F5XV-4VVC
Vulnerability from github – Published: 2024-05-01 21:30 – Updated: 2024-07-03 18:38SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component.
{
"affected": [],
"aliases": [
"CVE-2024-24312"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T19:15:22Z",
"severity": "HIGH"
},
"details": "SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component.",
"id": "GHSA-wwgc-f5xv-4vvc",
"modified": "2024-07-03T18:38:22Z",
"published": "2024-05-01T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24312"
},
{
"type": "WEB",
"url": "https://www2.deloitte.com/xe/en/pages/about-deloitte/articles/sustainable-strategies/unveiling-vulnerabilities-in-cybersecurity.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWHQ-CX22-F7VV
Vulnerability from github – Published: 2026-05-14 20:25 – Updated: 2026-05-15 23:54Summary
An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (v0.8.12) of Open WebUI.
Details
In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows (https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :
if channel.type in ['group', 'dm']:
if not Channels.is_user_channel_member(channel.id, user.id, db=db):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
else:
if (
user.role != 'admin'
and message.user_id != user.id
and not channel_has_access(user.id, channel, permission='write', strict=False, db=db)
):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
try:
message = Messages.update_message_by_id(message_id, form_data, db=db)
Non-group/dm types include a check for the user ID, while the group/dm type clearly lacks this verification.
PoC
The Channels feature is disabled by default and can be enabled first through the admin interface.
Create a group type channel with members including users test1 and test2.
POST /api/v1/channels/create HTTP/1.1
Content-Type: application/json
{
"name": "idor-test-group",
"type": "group",
"user_ids": [
"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
"b9997496-ff80-4c30-a366-95474f85e62b"
]
}
User test2 sends a message in the channel.
POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test2_token>
{"content":"This is test2 secret message"}
User test1 can directly modify the message that test2 just sent.
POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test1_token>
{"content":"HACKED BY TEST1 - message tampered!"}
Messages sent by administrators can also be modified.
Impact
Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.
Suggested Fix
Add a message ownership check in the group/dm branch of channels.py.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45385"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:25:40Z",
"nvd_published_at": "2026-05-15T21:16:36Z",
"severity": "MODERATE"
},
"details": "### Summary\nAn IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`.\n\n### Details\nIn the `update_message_by_id` function, for `group` or `dm` type channels, only the caller\u0027s membership in the channel is checked via the `is_user_channel_member` function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows [(https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355)](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :\n\n```python\nif channel.type in [\u0027group\u0027, \u0027dm\u0027]:\n if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\nelse:\n if (\n user.role != \u0027admin\u0027\n and message.user_id != user.id\n and not channel_has_access(user.id, channel, permission=\u0027write\u0027, strict=False, db=db)\n ):\n raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\n\ntry:\n message = Messages.update_message_by_id(message_id, form_data, db=db)\n```\n\nNon-group/dm types include a check for the user ID, while the `group/dm` type clearly lacks this verification.\n\n### PoC\nThe `Channels` feature is disabled by default and can be enabled first through the `admin` interface.\n\u003cimg width=\"1024\" height=\"618\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f\" /\u003e\n\nCreate a `group` type channel with members including users `test1` and `test2`.\n\n```\nPOST /api/v1/channels/create HTTP/1.1\nContent-Type: application/json\n\n{\n \"name\": \"idor-test-group\",\n \"type\": \"group\",\n \"user_ids\": [\n \"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c\",\n \"b9997496-ff80-4c30-a366-95474f85e62b\"\n ]\n}\n```\n\nUser `test2` sends a message in the channel.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest2_token\u003e\n\n{\"content\":\"This is test2 secret message\"}\n```\n\nUser `test1` can directly modify the message that `test2` just sent.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest1_token\u003e\n\n{\"content\":\"HACKED BY TEST1 - message tampered!\"}\n```\n\u003cimg width=\"1024\" height=\"216\" alt=\"image\" src=\"https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f\" /\u003e\n\nMessages sent by administrators can also be modified.\n\n\u003cimg width=\"1024\" height=\"419\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761\" /\u003e\n\n\n### Impact\nMalicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.\n\n### Suggested Fix\nAdd a message ownership check in the `group/dm` branch of `channels.py`.",
"id": "GHSA-wwhq-cx22-f7vv",
"modified": "2026-05-15T23:54:10Z",
"published": "2026-05-14T20:25:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45385"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint"
}
GHSA-WWJF-GWRV-WH45
Vulnerability from github – Published: 2024-11-07 15:31 – Updated: 2024-11-07 18:26A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0-beta"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43431"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-07T18:26:56Z",
"nvd_published_at": "2024-11-07T14:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.",
"id": "GHSA-wwjf-gwrv-wh45",
"modified": "2024-11-07T18:26:57Z",
"published": "2024-11-07T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43431"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304259"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Moodle\u0027s IDOR in badges allows deletion of arbitrary badges"
}
GHSA-WX3F-PJJP-293H
Vulnerability from github – Published: 2025-02-13 09:31 – Updated: 2025-02-13 09:31The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.
{
"affected": [],
"aliases": [
"CVE-2025-0661"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-13T07:15:10Z",
"severity": "MODERATE"
},
"details": "The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.",
"id": "GHSA-wx3f-pjjp-293h",
"modified": "2025-02-13T09:31:26Z",
"published": "2025-02-13T09:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0661"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3236114/dethemekit-for-elementor/trunk/admin/includes/dep/admin-helper.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e2c937c-1ff8-4bcc-913b-83bade37d754?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WX3H-GCG8-JH5R
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
{
"affected": [],
"aliases": [
"CVE-2026-3074"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:22Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.",
"id": "GHSA-wx3h-gcg8-jh5r",
"modified": "2026-05-14T06:31:33Z",
"published": "2026-05-14T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3074"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3556163"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXP2-F9FF-28C6
Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2026-04-08 18:34The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.
{
"affected": [],
"aliases": [
"CVE-2025-12883"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T04:15:40Z",
"severity": "MODERATE"
},
"details": "The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.",
"id": "GHSA-wxp2-f9ff-28c6",
"modified": "2026-04-08T18:34:00Z",
"published": "2025-12-12T06:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12883"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/campay-api/tags/1.2.2\u0026new_path=/campay-api/tags/1.2.3\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/campay-api"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f12fa00-6108-4bd4-9310-8558211f4d0f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXXJ-XQH4-VHM2
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2023-05-16 21:30Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly.
{
"affected": [],
"aliases": [
"CVE-2019-18998"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-17T19:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.",
"id": "GHSA-wxxj-xqh4-vhm2",
"modified": "2023-05-16T21:30:17Z",
"published": "2022-05-24T17:09:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18998"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X26H-XMV8-GXF7
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42Summary
On a multi-tenant stigmem node, RTBF (right-to-be-forgotten) tombstones were mis-scoped two ways. (1) issue_tombstone defaulted the tenant to "default" instead of the caller's tenant, so tombstones could be written to the wrong tenant. (2) The read-suppression path — _get_tombstone_filter (routes/facts/common.py) and the _tombstone_scope_cache (lifecycle/tombstones.py) — had no tenant_id predicate, so tombstone suppression was applied tenant-blind across fact queries and provenance. Reached via /v1/tombstones and the fact query/provenance read paths.
Impact
Cross-tenant integrity of the RTBF mechanism: a tenant's deletion request could be recorded against the wrong tenant, and tombstone suppression could hide — or fail to hide — facts across tenant boundaries, undermining both data-view correctness and RTBF guarantees.
Affected configurations
This is a cross-tenant break. It is exploitable only on deployments running the opt-in stigmem-plugin-multi-tenant (multiple tenants on one node). A default single-tenant node has only tenant="default" — there is no second tenant to cross — so it is not exploitable on default deployments. The rating is HIGH for the multi-tenant deployments the plugin exists to isolate.
Patches
Fixed in 0.9.0a12 (PR #728): identity.tenant_id is passed from issue_tombstone into create_tombstone (no more "default" fallback); AND tenant_id = ? was added to _get_tombstone_filter and get_tombstone_status; the suppression cache is re-keyed to include tenant; and all four read call sites thread the caller's tenant. A tenant-B tombstone now suppresses only tenant-B facts and is invisible to tenant-A reads.
Workarounds
None other than upgrading to 0.9.0a12. Single-tenant deployments are unaffected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "stigmem-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0a12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:57Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nOn a multi-tenant stigmem node, RTBF (right-to-be-forgotten) tombstones were mis-scoped two ways. (1) `issue_tombstone` defaulted the tenant to `\"default\"` instead of the caller\u0027s tenant, so tombstones could be written to the wrong tenant. (2) The read-suppression path \u2014 `_get_tombstone_filter` (`routes/facts/common.py`) and the `_tombstone_scope_cache` (`lifecycle/tombstones.py`) \u2014 had no `tenant_id` predicate, so tombstone suppression was applied tenant-blind across fact queries and provenance. Reached via `/v1/tombstones` and the fact query/provenance read paths.\n\n### Impact\nCross-tenant integrity of the RTBF mechanism: a tenant\u0027s deletion request could be recorded against the wrong tenant, and tombstone suppression could hide \u2014 or fail to hide \u2014 facts across tenant boundaries, undermining both data-view correctness and RTBF guarantees.\n\n### Affected configurations\nThis is a cross-**tenant** break. It is exploitable **only** on deployments running the opt-in `stigmem-plugin-multi-tenant` (multiple tenants on one node). A default single-tenant node has only `tenant=\"default\"` \u2014 there is no second tenant to cross \u2014 so it is **not exploitable** on default deployments. The rating is HIGH for the multi-tenant deployments the plugin exists to isolate.\n\n### Patches\nFixed in `0.9.0a12` (PR #728): `identity.tenant_id` is passed from `issue_tombstone` into `create_tombstone` (no more `\"default\"` fallback); `AND tenant_id = ?` was added to `_get_tombstone_filter` and `get_tombstone_status`; the suppression cache is re-keyed to include tenant; and all four read call sites thread the caller\u0027s tenant. A tenant-B tombstone now suppresses only tenant-B facts and is invisible to tenant-A reads.\n\n### Workarounds\nNone other than upgrading to `0.9.0a12`. Single-tenant deployments are unaffected.",
"id": "GHSA-x26h-xmv8-gxf7",
"modified": "2026-06-19T21:42:57Z",
"published": "2026-06-19T21:42:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-x26h-xmv8-gxf7"
},
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/pull/728"
},
{
"type": "PACKAGE",
"url": "https://github.com/eidetic-labs/stigmem"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)"
}
GHSA-X26P-4QC2-77FW
Vulnerability from github – Published: 2025-05-01 12:31 – Updated: 2025-05-01 12:31The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.
{
"affected": [],
"aliases": [
"CVE-2025-3874"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T12:15:17Z",
"severity": "MODERATE"
},
"details": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.",
"id": "GHSA-x26p-4qc2-77fw",
"modified": "2025-05-01T12:31:16Z",
"published": "2025-05-01T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3874"
},
{
"type": "WEB",
"url": "https://developer.wordpress.org/reference/functions/wp_generate_password"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3284572"
},
{
"type": "WEB",
"url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2FP-HJ8C-MMXH
Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-24 20:57Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8204"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T18:12:55Z",
"nvd_published_at": "2026-05-21T21:16:33Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data.",
"id": "GHSA-x2fp-hj8c-mmxh",
"modified": "2026-06-24T20:57:23Z",
"published": "2026-05-21T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8204"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.