Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-15582

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-28 Jan, 2020 | 02:36
Updated At-05 Aug, 2024 | 00:49
Rejected At-
Credits

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:28 Jan, 2020 | 02:36
Updated At:05 Aug, 2024 | 00:49
Rejected At:
▼CVE Numbering Authority (CNA)

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

Affected Products
Vendor
GitLab Inc.GitLab
Product
GitLab EE
Versions
Affected
  • before 12.3.2
  • before 12.2.6
  • before 12.1.12
Problem Types
TypeCWE IDDescription
CWECWE-639Insecure Direct Object Reference (IDOR) (CWE-639)
Type: CWE
CWE ID: CWE-639
Description: Insecure Direct Object Reference (IDOR) (CWE-639)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
x_refsource_MISC
https://hackerone.com/reports/566216
x_refsource_MISC
Hyperlink: https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
Resource:
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/566216
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
x_refsource_MISC
x_transferred
https://hackerone.com/reports/566216
x_refsource_MISC
x_transferred
Hyperlink: https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/566216
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:28 Jan, 2020 | 03:15
Updated At:02 Nov, 2021 | 17:50

An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches

GitLab Inc.
gitlab
>>gitlab>>Versions from 12.1.0(inclusive) to 12.1.12(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 12.1.0(inclusive) to 12.1.12(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 12.2.0(inclusive) to 12.2.6(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 12.2.0(inclusive) to 12.2.6(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 12.3.0(inclusive) to 12.3.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
GitLab Inc.
gitlab
>>gitlab>>Versions from 12.3.0(inclusive) to 12.3.2(exclusive)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-639Primarynvd@nist.gov
CWE-639Secondarysupport@hackerone.com
CWE ID: CWE-639
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-639
Type: Secondary
Source: support@hackerone.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/support@hackerone.com
Vendor Advisory
https://hackerone.com/reports/566216support@hackerone.com
Permissions Required
Hyperlink: https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
Source: support@hackerone.com
Resource:
Vendor Advisory
Hyperlink: https://hackerone.com/reports/566216
Source: support@hackerone.com
Resource:
Permissions Required

Change History

0
Information is not available yet

Similar CVEs

120Records found

CVE-2025-3282
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.08% / 24.11%
||
7 Day CHG~0.00%
Published-12 Apr, 2025 | 06:37
Updated-08 Jul, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.1.3 - Insecure Direct Object Reference to Unauthenticated Membership Modification

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type.

Action-Not Available
Vendor-wpeverestwpeverest
Product-user_registration_\&_membershipUser Registration & Membership – Custom Registration Form, Login Form, and User Profile
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2023-28686
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 29.03%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-19 Feb, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

Action-Not Available
Vendor-dinon/aFedora ProjectDebian GNU/Linux
Product-fedoradebian_linuxdinon/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-27561
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 29.62%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:55
Updated-16 Apr, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can rename "rooms" of arbitrary users.

Action-Not Available
Vendor-Growatt
Product-Cloud portal
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-27565
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 35.30%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:23
Updated-16 Apr, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growatt Cloud portal Authorization Bypass Through User-Controlled Key

An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.

Action-Not Available
Vendor-Growatt
Product-Cloud portal
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-26965
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 18.12%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 14:17
Updated-25 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Amelia plugin <= 1.2.16 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16.

Action-Not Available
Vendor-ameliabooking
Product-Amelia
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-24315
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 29.62%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:57
Updated-16 Apr, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

Action-Not Available
Vendor-Growatt
Product-Cloud portal
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-25276
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 35.30%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:25
Updated-16 Apr, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growatt Cloud portal Authorization Bypass Through User-Controlled Key

An unauthenticated attacker can hijack other users' devices and potentially control them.

Action-Not Available
Vendor-Growatt
Product-Cloud portal
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2019-14724
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-9.68% / 92.61%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 11:28
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account.

Action-Not Available
Vendor-control-webpaneln/a
Product-webpaneln/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-28986
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-6.30% / 90.57%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 18:51
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.

Action-Not Available
Vendor-lmsdoctorn/a
Product-2_factor_authenticationn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-9700
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 30.04%
||
7 Day CHG+0.04%
Published-31 Oct, 2024 | 05:31
Updated-25 Nov, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.

Action-Not Available
Vendor-Incsub, LLC
Product-forminator_formsForminator Forms – Contact Form, Payment Form & Custom Form Builderforminator_forms
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2019-13337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.25%
||
7 Day CHG~0.00%
Published-09 Jul, 2019 | 19:28
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required.

Action-Not Available
Vendor-weseekn/a
Product-growin/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-2877
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.55%
||
7 Day CHG~0.00%
Published-16 Sep, 2022 | 08:40
Updated-03 Aug, 2024 | 00:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing

The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.

Action-Not Available
Vendor-cm-wpUnknown
Product-titan_anti-spam_\&_securityTitan Anti-spam & Security
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-4097
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.63%
||
7 Day CHG~0.00%
Published-12 Dec, 2022 | 17:54
Updated-14 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All In One WP Security & Firewall < 5.0.8 - IP Spoofing

The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more).

Action-Not Available
Vendor-updraftplusUnknown
Product-all-in-one_securityAll-In-One Security (AIOS)
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-4750
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.74%
||
7 Day CHG+0.01%
Published-04 Jun, 2024 | 06:00
Updated-27 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request

Action-Not Available
Vendor-Unknown
Product-buddyboss-platform
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-1581
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 15.07%
||
7 Day CHG~0.00%
Published-21 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Polls < 2.76.0 - IP Validation Bypass

The WP-Polls WordPress plugin before 2.76.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

Action-Not Available
Vendor-wp-polls_projectUnknown
Product-wp-pollsWP-Polls
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-1613
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.26%
||
7 Day CHG~0.00%
Published-26 Sep, 2022 | 12:35
Updated-21 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing

The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.

Action-Not Available
Vendor-10upUnknown
Product-restricted_site_accessRestricted Site Access
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-0512
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.8||HIGH
EPSS-0.03% / 5.56%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 00:00
Updated-02 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in unshiftio/url-parse

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Action-Not Available
Vendor-url-parse_projectunshiftio
Product-url-parseunshiftio/url-parse
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2021-3852
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.20% / 41.77%
||
7 Day CHG~0.00%
Published-12 Jan, 2022 | 10:15
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in weseek/growi

growi is vulnerable to Authorization Bypass Through User-Controlled Key

Action-Not Available
Vendor-weseekweseek
Product-growiweseek/growi
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2021-36400
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.03%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 00:00
Updated-07 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodleMoodle
CWE ID-CWE-276
Incorrect Default Permissions
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-32277
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 27.63%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 00:00
Updated-03 Aug, 2024 | 07:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific finding, not a finding about the Squiz Matrix CMS product.

Action-Not Available
Vendor-squizn/a
Product-matrixn/a
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found