Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-2844

Summary
Assigner-@huntrdev
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-23 May, 2023 | 00:00
Updated At-12 Feb, 2025 | 16:45
Rejected At-
Credits

Authorization Bypass Through User-Controlled Key in cloudexplorer-dev/cloudexplorer-lite

Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntrdev
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:23 May, 2023 | 00:00
Updated At:12 Feb, 2025 | 16:45
Rejected At:
▼CVE Numbering Authority (CNA)
Authorization Bypass Through User-Controlled Key in cloudexplorer-dev/cloudexplorer-lite

Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

Affected Products
Vendor
CloudExplorer Lite (FIT2CLOUD Inc.)cloudexplorer-dev
Product
cloudexplorer-dev/cloudexplorer-lite
Versions
Affected
  • From unspecified before v1.1.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639 Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639 Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
3.07.2HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22
N/A
https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a
N/A
Hyperlink: https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22
Resource: N/A
Hyperlink: https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22
x_transferred
https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a
x_transferred
Hyperlink: https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22
Resource:
x_transferred
Hyperlink: https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:23 May, 2023 | 04:15
Updated At:27 Jun, 2023 | 06:15

Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Secondary3.07.2HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
FIT2CLOUD Inc.
fit2cloud
>>cloudexplorer_lite>>Versions before 1.1.0(exclusive)
cpe:2.3:a:fit2cloud:cloudexplorer_lite:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-639Primarysecurity@huntr.dev
CWE-639Secondarynvd@nist.gov
CWE ID: CWE-639
Type: Primary
Source: security@huntr.dev
CWE ID: CWE-639
Type: Secondary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763asecurity@huntr.dev
Patch
https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22security@huntr.dev
Exploit
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/cloudexplorer-dev/cloudexplorer-lite/commit/d9f55a44e579d312977b02317b2020de758b763a
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.dev/bounties/6644b36e-603d-4dbe-8ee2-5df8b8fb2e22
Source: security@huntr.dev
Resource:
Exploit
Issue Tracking
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2024-29024
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.09% / 25.82%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 14:45
Updated-09 Jan, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JumpServer Direct Object Reference (IDOR) Vulnerability in File Manager Bulk Transfer Functionality

JumpServer is an open source bastion host and an operation and maintenance security audit system. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system. This vulnerability is fixed in v3.10.6.

Action-Not Available
Vendor-FIT2CLOUD Inc.JumpServer (FIT2CLOUD Inc.)
Product-jumpserverjumpserverjumpserver
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2024-29020
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.15% / 35.72%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 14:46
Updated-09 Jan, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JumpServer allows nn authorized attacker to get sensitive information in playbook files when playbook_id is leaked

JumpServer is an open source bastion host and an operation and maintenance security audit system. An authorized attacker can obtain sensitive information contained within playbook files if they manage to learn the playbook_id of another user. This breach of confidentiality can lead to information disclosure and exposing sensitive data. This vulnerability is fixed in v3.10.6.

Action-Not Available
Vendor-FIT2CLOUD Inc.JumpServer (FIT2CLOUD Inc.)
Product-jumpserverjumpserverjumpserver
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-42463
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.04% / 11.60%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 21:26
Updated-15 May, 2026 | 17:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQLBot: Unauthorized Access Vulnerability

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass vulnerability in the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. An attacker can access and modify database schemas and data sources belonging to other tenants/workspaces. This vulnerability is fixed in 1.8.0.

Action-Not Available
Vendor-FIT2CLOUD Inc.DataEase (FIT2CLOUD Inc.)
Product-sqlbotSQLBot
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-33700
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 13.92%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 15:51
Updated-30 Mar, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.

Action-Not Available
Vendor-vikunjago-vikunja
Product-vikunjavikunja
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-31833
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.9||MEDIUM
EPSS-0.06% / 19.11%
||
7 Day CHG-0.14%
Published-01 Apr, 2025 | 14:51
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JobBoard Job listing plugin Plugin <= 1.2.8 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.

Action-Not Available
Vendor-themeglow
Product-JobBoard Job listing
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-28874
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 11.77%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:00
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BP Email Assign Templates By shanebp plugin <= 1.7 - Arbitrary Content Deletion vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Email Assign Templates: from n/a through <= 1.7.

Action-Not Available
Vendor-shanebpshanebp
Product-bp_email_assign_templatesBP Email Assign Templates
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found