VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 53 of 54
  • CVE-2022-1810May 23, 2022
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9.

  • CVE-2022-0731Feb 23, 2022
    risk 0.00cvss epss 0.01

    Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.

  • CVE-2022-0691Feb 21, 2022
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

  • CVE-2022-0686Feb 20, 2022
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

  • CVE-2022-0639Feb 17, 2022
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

  • CVE-2022-0613Feb 16, 2022
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.

  • CVE-2022-0512Feb 14, 2022
    risk 0.00cvss epss 0.02

    Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

  • CVE-2022-21713Feb 8, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the…

  • CVE-2022-0266Jan 19, 2022
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key in Packagist remdex/livehelperchat prior to 3.92v.

  • CVE-2021-3964Dec 1, 2021
    risk 0.00cvss epss 0.01

    elgg is vulnerable to Authorization Bypass Through User-Controlled Key

  • CVE-2021-3992Dec 1, 2021
    risk 0.00cvss epss 0.01

    kimai2 is vulnerable to Improper Access Control

  • CVE-2021-22951Nov 19, 2021
    risk 0.00cvss epss 0.01

    Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the…

  • CVE-2021-41129Oct 6, 2021
    risk 0.00cvss epss 0.02

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In…

  • CVE-2021-41120Oct 5, 2021
    risk 0.00cvss epss 0.01

    sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the…

  • CVE-2021-36032Sep 1, 2021
    risk 0.00cvss epss 0.02

    Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve…

  • CVE-2021-37709Aug 16, 2021
    risk 0.00cvss epss 0.01

    Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3,…

  • CVE-2021-24374Jun 21, 2021
    risk 0.00cvss epss 0.01

    The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the…

  • CVE-2021-21022Feb 11, 2021
    risk 0.00cvss epss 0.02

    Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

  • CVE-2017-18894Jun 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.

  • CVE-2017-18878Jun 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.