Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-31 | CVE-2022-36202 | Authorization Bypass Through User-Controlled Key vulnerability in Doctor'S Appointment System Project Doctor'S Appointment System 1.0 Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. | 9.8 |
| 2022-08-29 | CVE-2022-2034 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Sensei LMS The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | 5.3 |
| 2022-08-29 | CVE-2022-3019 | Authorization Bypass Through User-Controlled Key vulnerability in Tooljet The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one). | 8.8 |
| 2022-08-22 | CVE-2022-34770 | Authorization Bypass Through User-Controlled Key vulnerability in Tabit Tabit - sensitive information disclosure. | 7.5 |
| 2022-08-22 | CVE-2022-34775 | Authorization Bypass Through User-Controlled Key vulnerability in Tabit Tabit - Excessive data exposure. | 7.5 |
| 2022-08-19 | CVE-2022-34621 | Authorization Bypass Through User-Controlled Key vulnerability in Mealie 0.5.5/1.0.0 Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter. | 6.5 |
| 2022-08-05 | CVE-2022-2499 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 4.3 |
| 2022-08-05 | CVE-2022-36284 | Authorization Bypass Through User-Controlled Key vulnerability in Storeapps Affiliate for Woocommerce Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. | 6.5 |
| 2022-07-20 | CVE-2022-34150 | Authorization Bypass Through User-Controlled Key vulnerability in Micodus Mv720 Firmware The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. | 5.4 |
| 2022-07-19 | CVE-2022-2193 | Authorization Bypass Through User-Controlled Key vulnerability in Hypr Server 6.10 Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. | 8.8 |