Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVEs (1,772)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-46416 1Sma 1Sunny Tripower Firmware Nov 21, 2024 Apr 7, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.
CVE-2022-27108 1Orangehrm 1Orangehrm Nov 21, 2024 Apr 6, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
CVE-2022-1165 1Plugin Planet 1Blackhole For Bad Bots Nov 21, 2024 Apr 4, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could...Show more The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.Show less
CVE-2022-22331 1Ibm 1Partner Engagement Manager Nov 21, 2024 Apr 1, 2022 N/A· v4 7.1 HIGH· v3 5.5 MEDIUM· v2 IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 21...Show more IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130.Show less
CVE-2021-38362 1Rsa 1Archer Nov 21, 2024 Mar 30, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.
CVE-2022-26254 1Wowonder 1Wowonder Nov 21, 2024 Mar 27, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names.
CVE-2021-43957 1Atlassian 2Crucible Fisheye Nov 21, 2024 Mar 16, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-2944...Show more Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. The affected versions are before version 4.8.9.Show less
CVE-2022-0442 1Ayecode 1Userswp Nov 21, 2024 Mar 7, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avat...Show more The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.Show less
CVE-2022-25471 1Open Emr 1Openemr Nov 21, 2024 Mar 3, 2022 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/reg...Show more An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.Show less
CVE-2021-41111 1Pagerduty 1Rundeck Nov 21, 2024 Feb 28, 2022 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a r...Show more Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user could use the revealed webhook tokens to trigger webhooks. Severity depends on trust level of authenticated users and whether any webhooks exist that trigger sensitive actions. There are patches for this vulnerability in versions 3.4.5 and 3.3.15. There are currently no known workarounds.Show less
CVE-2022-0732 11byte 9Copy9 ExactspyFonetracker+6 more Nov 21, 2024 Feb 24, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
CVE-2022-0731 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Feb 23, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-0691 1Url Parse Project 1Url Parse Nov 21, 2024 Feb 21, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
CVE-2022-0686 1Url Parse Project 1Url Parse Nov 21, 2024 Feb 20, 2022 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
CVE-2022-24979 1Mittwald 1Varnishcache Nov 21, 2024 Feb 19, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to rende...Show more An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference (IDOR), with the potential of exposing internal content elements.Show less
CVE-2022-25336 1Ibexa 1Ez Platform Kernel Nov 21, 2024 Feb 18, 2022 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.
CVE-2022-0639 1Url Parse Project 1Url Parse Dec 16, 2025 Feb 17, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
CVE-2022-0613 2Fedoraproject Uri.js Project 2Fedora Uri.js Nov 21, 2024 Feb 16, 2022 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
CVE-2021-46249 1Scratchoauth2 Project 1Scratchoauth2 Nov 21, 2024 Feb 15, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is v...Show more An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.Show less
CVE-2022-0512 1Url Parse Project 1Url Parse Nov 21, 2024 Feb 14, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Previous 1...777879...89 Next