Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-07-10 | CVE-2018-19584 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | 5.0 |
| 2019-07-10 | CVE-2018-19582 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user. | 4.0 |
| 2019-07-10 | CVE-2018-19575 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. | 4.0 |
| 2019-07-09 | CVE-2019-13337 | Authorization Bypass Through User-Controlled Key vulnerability in Weseek Growi In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). | 5.0 |
| 2019-07-09 | CVE-2019-13461 | Authorization Bypass Through User-Controlled Key vulnerability in Prestashop In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. | 5.0 |
| 2019-07-09 | CVE-2019-12782 | Authorization Bypass Through User-Controlled Key vulnerability in Thoughtspot 4.4.1/4.5.1/5.1.1 An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | 5.5 |
| 2019-07-05 | CVE-2019-5966 | Authorization Bypass Through User-Controlled Key vulnerability in Joruri Mail 2.1.4 Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | 5.8 |
| 2019-07-03 | CVE-2019-12866 | Authorization Bypass Through User-Controlled Key vulnerability in Jetbrains Youtrack An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. | 7.5 |
| 2019-06-05 | CVE-2019-12742 | Authorization Bypass Through User-Controlled Key vulnerability in Bludit Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. | 6.5 |
| 2019-05-21 | CVE-2019-12252 | Authorization Bypass Through User-Controlled Key vulnerability in Zohocorp Manageengine Servicedesk Plus In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | 6.5 |