CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,796 vulnerabilities with CWE-639
CVE-2025-50693 MEDIUM
PHPGurukul Online DJ Booking Management System 2.0 - IDOR
CVSS 6.5
CVE-2025-3091 HIGH
Helmholz myREX24 and MB connect line mbCONNECT24/mymbCONNECT24 - Authentication Bypass
CVSS 7.5
CVE-2025-6534 MEDIUM
xxyopen/201206030 novel-plus <5.1.3 - Improper Control of Resource ...
CVSS 4.2
CVE-2025-49995 MEDIUM
dFactory Download Attachments <1.3.1 - Auth Bypass
CVSS 5.3
CVE-2025-49978 MEDIUM
eyecix JobSearch <2.9.0 - Auth Bypass
CVSS 4.3
CVE-2025-6329 MEDIUM
ScriptAndTools Real Estate Management System 1.0 - Auth Bypass
CVSS 5.4
CVE-2025-5195 MEDIUM
GitLab 17.9-17.10.6, 17.11-17.11.2, 18.0 - Authenticated Authorization Bypass via Compliance Framework Access
CVSS 4.3
CVE-2025-40661 HIGH
DM Corporative CMS < 2025.01 - Insecure Direct Object Reference via option Parameter
CVSS 7.5
CVE-2025-40660 HIGH
DM Corporative CMS < 2025.01 - Insecure Direct Object Reference via Option Parameter
CVSS 7.5
CVE-2025-40659 HIGH
DM Corporative CMS < 2025.01 - Insecure Direct Object Reference via option Parameter
CVSS 7.5
CVE-2025-40658 HIGH
DM Corporative CMS < 2025.01 - Insecure Direct Object Reference via option Parameter
CVSS 7.5
CVE-2025-4691 MEDIUM
Free Booking Plugin - Insecure Direct Object Reference
CVSS 5.3
CVE-2025-40650 HIGH
Clickedu - Insecure Direct Object Reference
CVE-2025-5182 MEDIUM
Summer Pearl Group Vacation Rental Management Platform < 1.0.2 - Authorization Bypass in Listing Handler
CVSS 4.3
CVE-2025-5181 LOW
Summer Pearl Group Vacation Rental Management Platform < 1.0.2 - Cross-Site Scripting via spgLsTitle Parameter
CVSS 3.5
CVE-2025-20114 MEDIUM
Cisco Unified Intelligence Center - Privilege Escalation
CVSS 4.3
CVE-2025-24969 MEDIUM
iTop < 3.2.1 - Unauthorized Contact Picture Access via Picture ID Manipulation
CVSS 5.0
CVE-2025-3769 MEDIUM
LatePoint - Calendar Booking Plugin - Info Disclosure
CVSS 5.3
CVE-2025-3605 CRITICAL
Frontend Login & Registration Blocks <1.0.7 - Privilege Escalation
CVSS 9.8
CVE-2025-3811 CRITICAL
WPBookit < 1.0.2 - Unauthenticated Privilege Escalation via Account Takeover
CVSS 9.8
CVE-2025-3810 CRITICAL
WPBookit <= 1.0.2 - Unauthenticated Privilege Escalation via edit_profile_data()
CVSS 9.8
CVE-2025-20214 MEDIUM
Cisco IOS XE - Authenticated Authorization Bypass via NACM Configuration Filtering
CVSS 4.3
CVE-2025-3853 MEDIUM
WPshop 2-2.6.0 - Insecure Direct Object Reference
CVSS 6.5
CVE-2025-3281 MEDIUM
WordPress <4.2.1 - Insecure Direct Object Reference
CVSS 5.3
CVE-2025-3610 HIGH
Reales WP STPT <2.1.2 - Privilege Escalation
CVSS 8.8
Details
Vulnerabilities 1,796
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits