CWE-639
Authorization Bypass Through User-Controlled Key
Description
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,068)
page 37 of 54| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-0691 | Med | 0.28 | 4.3 | 0.01 | Jun 9, 2023 | The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive… | ||
| CVE-2021-22967 | — | 0.28 | 4.3 | 0.01 | Nov 19, 2021 | In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message… | ||
| CVE-2018-16971 | Med | 0.28 | 4.3 | 0.01 | Sep 12, 2018 | Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter. | ||
| CVE-2018-16704 | — | Med | 0.28 | 4.3 | 0.01 | Sep 7, 2018 | An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org. | |
| CVE-2018-15833 | Med | 0.28 | 4.3 | 0.01 | Aug 26, 2018 | In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items). | ||
| CVE-2017-0920 | Med | 0.28 | 4.3 | 0.01 | Mar 22, 2018 | GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab… | ||
| CVE-2017-15211 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | ||
| CVE-2017-15209 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. | ||
| CVE-2017-15208 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. | ||
| CVE-2017-15207 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | ||
| CVE-2017-15206 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. | ||
| CVE-2017-15204 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. | ||
| CVE-2017-15203 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | ||
| CVE-2017-15202 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user. | ||
| CVE-2017-15201 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. | ||
| CVE-2017-15200 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user. | ||
| CVE-2017-15199 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description. | ||
| CVE-2017-15197 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. | ||
| CVE-2017-15196 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user. | ||
| CVE-2017-15195 | Med | 0.28 | 4.3 | 0.01 | Oct 11, 2017 | In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user. |
- risk 0.28cvss 4.3epss 0.01
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive…
- CVE-2021-22967Nov 19, 2021risk 0.28cvss 4.3epss 0.01
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message…
- risk 0.28cvss 4.3epss 0.01
Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org.
- risk 0.28cvss 4.3epss 0.01
In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items).
- risk 0.28cvss 4.3epss 0.01
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab…
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
- risk 0.28cvss 4.3epss 0.01
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.