CVE-2022-30852
Description
Known v1.3.1 is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthorized access to resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Known v1.3.1 is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthorized access to resources.
Known is a social publishing platform for groups and individuals [1]. In version 1.3.1, an Insecure Direct Object Reference (IDOR) vulnerability exists [2]. IDOR occurs when an application exposes direct references to internal objects, such as database keys or file paths, without proper access control checks, enabling attackers to manipulate these references to access unauthorized data [2].
An attacker can exploit this vulnerability by modifying object references in URLs, form parameters, or API calls. The attack does not necessarily require authentication if the vulnerable endpoint is publicly accessible. The specific attack surface depends on which objects are referenced directly; common targets include user profiles, posts, or media files [2].
Successful exploitation could allow an attacker to view, modify, or delete content belonging to other users, potentially leading to data exposure, privilege escalation, or account takeover. The exact impact is determined by the privileges of the affected object and the functionality exposed [2].
As of the publication date, no official patch has been confirmed for version 1.3.1. Users are advised to upgrade to a newer version of Known if available, or apply workarounds such as implementing proper access control checks. A blog post detailing multiple vulnerabilities in Known, including this IDOR, is referenced in the NVD entry [2]. The official Known website provides general information about the platform [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idno/knownPackagist | <= 1.3.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on user-controlled key allows access to another user's data."
Attack vector
An attacker can exploit an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] by modifying a user-controlled key value (such as a record ID or object identifier) in a request to access another user's private data. The system's authorization logic fails to verify that the authenticated user is the owner of the resource identified by the key, allowing unauthorized access to another user's records [ref_id=1]. The advisory does not specify the exact HTTP request parameters or endpoints involved.
Affected code
The advisory does not specify which functions, files, or code paths are at fault. The referenced GitHub repository [ref_id=1] is the Known social publishing platform, but no specific vulnerable endpoint or file is identified in the available information.
What the fix does
No patch or fix is included in the available information. The advisory [ref_id=1] does not provide remediation guidance or a commit diff. To close this vulnerability, the application would need to enforce ownership checks on every resource access, ensuring that the authenticated user's identity matches the owner of the resource identified by the user-controlled key [CWE-639].
Preconditions
- authThe attacker must be an authenticated user of the Known platform.
- inputThe application must expose a resource endpoint that uses a user-controlled identifier (e.g., a numeric or UUID record ID) without verifying ownership.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4v4p-87m3-5423ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30852ghsaADVISORY
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-softwareghsaWEB
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/mitrex_refsource_MISC
- withknown.comghsaWEB
- withknown.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.