CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,822 vulnerabilities with CWE-639
CVE-2024-29020 MEDIUM
fit2cloud jumpserver 3.0.0-3.10.5 - Authenticated Information Disclosure via Playbook ID
CVSS 4.6
CVE-2024-1313 MEDIUM
Grafana 9.5.0-9.5.17, 10.0.0-10.0.12, 10.1.0-10.1.8, 10.2.0-10.2.5, 10.3.0-10.3.4 - Snapshot Deletion via View Key
CVSS 6.5
CVE-2024-29194 HIGH
OneUptime 7.0.1803-7.0.1814 - Authorization Bypass via Client-Side is_master_admin Key Manipulation
CVSS 8.3
CVE-2024-2538 MEDIUM
Permalink Manager Lite <= 2.4.3.1 - Authenticated Arbitrary Permalink Modification via Missing Capability Check
CVSS 5.4
CVE-2024-1604 MEDIUM
BMC Control-M 9.0.20-9.0.20.237 and 9.0.21-9.0.21.200 - Authenticated Authorization Bypass in Report Management Module
CVSS 6.4
CVE-2024-2577 HIGH
SourceCodester Employee Task Management System 1.0 - Authorization Bypass via admin_id Parameter
CVSS 7.3
CVE-2024-2576 HIGH
SourceCodester Employee Task Management System 1.0 - Authorization Bypass via admin_id Parameter
CVSS 7.3
CVE-2024-2575 HIGH
SourceCodester Employee Task Management System 1.0 - Authorization Bypass via task_id Parameter
CVSS 7.3
CVE-2024-2574 HIGH
SourceCodester Employee Task Management System 1.0 - Authorization Bypass via edit-task.php task_id Parameter
CVSS 7.3
CVE-2024-1640 MEDIUM
Contact Form Builder Plugin <2.10.1 - Info Disclosure
CVSS 5.3
CVE-2024-0839 MEDIUM
FeedWordPress <2022.0222 - Info Disclosure
CVSS 5.3
CVE-2024-23112 HIGH
FortiOS/FortiProxy SSL-VPN Auth Bypass via URL Manipulation
CVSS 8.0
CVE-2024-27302 CRITICAL
go-zero < 1.4.4 - Authorization Bypass via CORS Origin Suffix Check
CVSS 9.1
CVE-2024-1470 HIGH
NetIQ Client Login Extension 4.6 - Privilege Escalation and Code Injection via Authorization Bypass
CVSS 7.1
CVE-2024-25983 LOW
moodle 4.1.0-4.1.8 and 4.3.0-4.3.2 - Authorization Bypass in Comments Block Web Service
CVSS 3.5
CVE-2024-22455 MEDIUM
Dell Mobility - E-Lab Navigator <3.2.0 - Auth Bypass
CVSS 4.4
CVE-2024-0421 MEDIUM
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Post Read via AJAX Action
CVSS 5.3
CVE-2024-1075 LOW
Minimal Coming Soon - Coming Soon Page < 2.37 - Unauthenticated Maintenance Mode Bypass via Request Path Validation
CVSS 3.7
CVE-2024-0366 MEDIUM
Starbox < 3.4.7 - Insecure Direct Object Reference via Action Function
CVSS 4.3
CVE-2024-22305 HIGH
Kali Forms < 2.3.36 - Insecure Direct Object Reference
CVSS 7.5
CVE-2024-23747 HIGH
ModernaNet Hospital Management System 2024 - Insecure Direct Object Reference via Laudo ID Parameter
CVSS 7.5
CVE-2024-0580 MEDIUM
IDMSistemas Sinergia - Authorization Bypass via QSige API Endpoint
CVSS 6.5
CVE-2024-22206 CRITICAL
Clerk <4.29.2 - Privilege Escalation
CVSS 9.0
CVE-2024-0264 HIGH
Clinic Queuing System 1.0 - Authorization Bypass via formToken Manipulation
CVSS 7.3
CVE-2023-40200 MEDIUM
WordPress WP Logo Showcase Responsive Slider and Carousel plugin <= 3.6 - Broken Access Control vulnerability
CVSS 5.3
Details
Vulnerabilities 1,822
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits