VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 34 of 54
  • CVE-2025-58597MedSep 3, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.

  • CVE-2025-9836MedSep 2, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in macrozheng mall up to 1.0.3. This vulnerability affects the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderId results in authorization bypass. The attack can be launched remotely. The exploit has been made…

  • CVE-2025-9835MedSep 2, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in macrozheng mall up to 1.0.3. This affects the function cancelOrder of the file /order/cancelUserOrder. The manipulation of the argument orderId leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed…

  • CVE-2025-9263MedAug 20, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of…

  • CVE-2025-8789MedAug 10, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack…

  • CVE-2025-50340MedAug 4, 2025
    risk 0.28cvss 4.3epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify…

  • CVE-2025-7938MedJul 21, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The…

  • CVE-2025-49978MedJun 20, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch wp-jobsearch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobSearch: from n/a through < 3.0.6.

  • CVE-2025-1284MedApr 24, 2025
    risk 0.28cvss 4.3epss 0.00

    The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user…

  • CVE-2025-39434MedApr 17, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avatar: from n/a through <= 0.1.4.

  • CVE-2025-30777MedMar 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in DevItems Support Genix support-genix-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Support Genix: from n/a through <= 1.4.11.

  • CVE-2025-27436MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a…

  • CVE-2025-27433MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on…

  • CVE-2025-26660MedMar 11, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application,…

  • CVE-2024-13841MedFeb 7, 2025
    risk 0.28cvss 4.3epss 0.00

    The Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the 'bse-elementor-template' shortcode due to insufficient restrictions on which posts can…

  • CVE-2025-22695MedFeb 3, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in NirWp Team Nirweb support nirweb-support.This issue affects Nirweb support: from n/a through <= 3.0.3.

  • CVE-2024-10775MedJan 15, 2025
    risk 0.28cvss 4.3epss 0.00

    The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated…

  • CVE-2024-12116MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'uta-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible…

  • CVE-2024-11915MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The RRAddons for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.0 via the Popup block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with…

  • CVE-2024-12472MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    The Post Duplicator plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the mtphr_duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated…