Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-06 | CVE-2022-27108 | Authorization Bypass Through User-Controlled Key vulnerability in Orangehrm 4.10 OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. | 4.0 |
| 2022-04-04 | CVE-2022-1165 | Authorization Bypass Through User-Controlled Key vulnerability in Plugin-Planet Blackhole for BAD Bots The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. | 6.4 |
| 2022-04-01 | CVE-2022-22331 | Authorization Bypass Through User-Controlled Key vulnerability in IBM Partner Engagement Manager 6.2.0 IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). | 7.1 |
| 2022-03-30 | CVE-2021-38362 | Authorization Bypass Through User-Controlled Key vulnerability in RSA Archer In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. | 4.0 |
| 2022-03-27 | CVE-2022-26254 | Authorization Bypass Through User-Controlled Key vulnerability in Wowonder 4.0 WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names. | 5.0 |
| 2022-03-16 | CVE-2021-43957 | Authorization Bypass Through User-Controlled Key vulnerability in Atlassian Crucible Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. | 5.0 |
| 2022-03-07 | CVE-2022-0442 | Authorization Bypass Through User-Controlled Key vulnerability in Ayecode Userswp The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | 4.3 |
| 2022-03-03 | CVE-2022-25471 | Authorization Bypass Through User-Controlled Key vulnerability in Open-Emr Openemr 6.0.0 An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | 5.5 |
| 2022-02-28 | CVE-2021-41111 | Authorization Bypass Through User-Controlled Key vulnerability in Pagerduty Rundeck Rundeck is an open source automation service with a web console, command line tools and a WebAPI. | 5.5 |
| 2022-02-24 | CVE-2022-0732 | Authorization Bypass Through User-Controlled Key vulnerability in 1Byte products The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | 7.5 |