Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVEs (1,772)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-40186 1Hashicorp 1Vault May 27, 2025 Sep 22, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names,...Show more An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.Show less
CVE-2022-1580 1Freehtmldesigns 1Site Offline Nov 21, 2024 Sep 19, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query...Show more The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature.Show less
CVE-2022-2913 1Login No Captcha Recaptcha Project 1Login No Captcha Recaptcha Jun 3, 2025 Sep 16, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.
CVE-2022-2877 1Cm Wp 1Titan Anti Spam & Security Nov 21, 2024 Sep 16, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
CVE-2022-38789 1Airties 3Air 4920 Firmware Air 4921 FirmwareAir 4971 Firmware Nov 21, 2024 Sep 15, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference.
CVE-2022-36539 1Eigen&wijzer Ouderapp Project 1Eigen&wijzer Ouderapp Nov 21, 2024 Sep 7, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.
CVE-2022-32277 1Squiz 1Matrix Nov 21, 2024 Sep 6, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by bot...Show more Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific finding, not a finding about the Squiz Matrix CMS product.Show less
CVE-2022-36202 1Doctor's Appointment System Project 1Doctor's Appointment System Nov 21, 2024 Aug 31, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.
CVE-2022-2080 1Automattic 1Sensei Lms Nov 21, 2024 Aug 29, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conver...Show more The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studentShow less
CVE-2022-2034 1Automattic 1Sensei Lms Nov 21, 2024 Aug 29, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
CVE-2022-3019 1Tooljet 1Tooljet Nov 21, 2024 Aug 29, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it wo...Show more The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).Show less
CVE-2021-4142 1Candlepinproject 1Candlepin Nov 21, 2024 Aug 24, 2022 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors could allow an attacker to use the SCA (simple content access) certificate for authentication with Candlepin.
CVE-2022-34775 1Tabit 1Tabit Nov 21, 2024 Aug 22, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api...Show more Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack.Show less
CVE-2022-34770 1Tabit 1Tabit Nov 21, 2024 Aug 22, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and s...Show more Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoDB ID which is not so simple to enumerate. However, they each receive a ‘tiny URL’ in Tabit’s domain, in the form of https://tbit.be/{suffix} with suffix being a 5 characters long string containing numbers, lower- and upper-case letters. It is not so simple to enumerate them all, but really easy to find some that work and lead to a personal endpoint. This is both an example of OWASP: API4 - rate limiting and OWASP: API1 - Broken object level authorization. Furthermore, the redirect URL disclosed the MongoDB IDs discussed above, and we could use them to query other endpoints disclosing more personal information. For example: The URL https://tabitisrael.co.il/online-reservations/health-statement?orgId={org_id}&healthStatementId={health_statement_id} is used to invite friends to fill a health statement before attending the restaurant. We can use the health_statement_id to access the https://tgm-api.tabit.cloud/health-statement/{health_statement_id} API which disclose medical information as well as id number.Show less
CVE-2022-2312 1Student Result Or Employee Database Project 1Student Result Or Employee Database Nov 21, 2024 Aug 22, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students vi...Show more The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scriptingShow less
CVE-2022-2198 12code 1Wpqa Builder Nov 21, 2024 Aug 22, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private...Show more The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.Show less
CVE-2022-34621 1Mealie 1Mealie Nov 21, 2024 Aug 19, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.
CVE-2022-2824 1Open Emr 1Openemr Feb 25, 2026 Aug 15, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2535 1Searchwp 1Searchwp Live Ajax Search Nov 21, 2024 Aug 15, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/d...Show more The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalinkShow less
CVE-2022-2730 1Open Emr 1Openemr Nov 21, 2024 Aug 9, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.

Previous 1...747576...89 Next