VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 37 of 54
  • CVE-2023-0691MedJun 9, 2023
    risk 0.28cvss 4.3epss 0.01

    The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive…

  • CVE-2021-22967Nov 19, 2021
    risk 0.28cvss 4.3epss 0.01

    In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message…

  • CVE-2018-16971MedSep 12, 2018
    risk 0.28cvss 4.3epss 0.01

    Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter.

  • CVE-2018-16704MedSep 7, 2018
    risk 0.28cvss 4.3epss 0.01

    An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org.

  • CVE-2018-15833MedAug 26, 2018
    risk 0.28cvss 4.3epss 0.01

    In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items).

  • CVE-2017-0920MedMar 22, 2018
    risk 0.28cvss 4.3epss 0.01

    GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab…

  • CVE-2017-15211MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.

  • CVE-2017-15209MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.

  • CVE-2017-15208MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.

  • CVE-2017-15207MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.

  • CVE-2017-15206MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.

  • CVE-2017-15204MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.

  • CVE-2017-15203MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.

  • CVE-2017-15202MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.

  • CVE-2017-15201MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.

  • CVE-2017-15200MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.

  • CVE-2017-15199MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.

  • CVE-2017-15197MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.

  • CVE-2017-15196MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.

  • CVE-2017-15195MedOct 11, 2017
    risk 0.28cvss 4.3epss 0.01

    In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.