← Back
CWE-639

1,771 CVEs • Abstraction: Base • Likelihood of Exploit: High

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

JSON object

Loading...

CVEs (1,771)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2023-3289
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.
CVE-2023-3288
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
CVE-2023-3287
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.8 HIGH· v3
N/A· v2
A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
CVE-2023-3286
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
CVE-2023-38055
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data...Show more
A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38054
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipul...Show more
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38053
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized da...Show more
A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38052
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
CVE-2023-38051
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data man...Show more
A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38050
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data ma...Show more
A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38049
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unautho...Show more
A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38048
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulatio...Show more
A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38047
1Easyappointments
1Easy!appointments
Nov 21, 2024
Jul 9, 2024
N/A· v4
8.1 HIGH· v3
N/A· v2
A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized d...Show more
A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-3285
-
-
Nov 21, 2024
Jul 9, 2024
N/A· v4
7.7 HIGH· v3
N/A· v2
A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation.
CVE-2024-4341
1Extremepacs
1Extreme Xds
Jun 3, 2026
Jul 8, 2024
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3928.
CVE-2024-39321
1Traefik
1Traefik
Nov 25, 2025
Jul 5, 2024
N/A· v4
7.5 HIGH· v3
N/A· v2
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent wi...Show more
Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.Show less
CVE-2024-39223
-
-
Nov 21, 2024
Jul 3, 2024
N/A· v4
9.8 CRITICAL· v3
N/A· v2
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey
CVE-2024-31898
1Ibm
1Infosphere Information Server
Nov 21, 2024
Jun 30, 2024
N/A· v4
5.4 MEDIUM· v3
N/A· v2
IBM InfoSphere Information Server 11.7 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references. IBM X-Force ID: 288182.
CVE-2024-5942
1Carlosfazenda
1Page And Post Clone
Apr 8, 2026
Jun 29, 2024
N/A· v4
5.4 MEDIUM· v3
N/A· v2
The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key...Show more
The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to clone and read private posts.Show less
CVE-2024-1107
1Talyabilisim
1Travel Apps
Jun 3, 2026
Jun 27, 2024
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel APPS: before v17.0.68.