Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-15 | CVE-2022-38789 | Authorization Bypass Through User-Controlled Key vulnerability in Airties products An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. | 9.1 |
| 2022-09-07 | CVE-2022-36539 | Authorization Bypass Through User-Controlled Key vulnerability in Eigen&Wijzer Ouderapp Project Eigen&Wijzer Ouderapp WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children. | 7.5 |
| 2022-09-06 | CVE-2022-32277 | Authorization Bypass Through User-Controlled Key vulnerability in Squiz Matrix 6.20 Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. | 5.3 |
| 2022-08-31 | CVE-2022-36202 | Authorization Bypass Through User-Controlled Key vulnerability in Doctor'S Appointment System Project Doctor'S Appointment System 1.0 Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. | 9.8 |
| 2022-08-29 | CVE-2022-2034 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Sensei LMS The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | 5.3 |
| 2022-08-29 | CVE-2022-2080 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Sensei LMS The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. | 4.3 |
| 2022-08-29 | CVE-2022-3019 | Authorization Bypass Through User-Controlled Key vulnerability in Tooljet The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one). | 8.8 |
| 2022-08-24 | CVE-2021-4142 | Authorization Bypass Through User-Controlled Key vulnerability in Candlepinproject Candlepin The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. | 5.5 |
| 2022-08-22 | CVE-2022-2198 | Authorization Bypass Through User-Controlled Key vulnerability in 2Code Wpqa Builder 5.2 The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced. | 4.3 |
| 2022-08-22 | CVE-2022-34770 | Authorization Bypass Through User-Controlled Key vulnerability in Tabit Tabit - sensitive information disclosure. | 7.5 |