Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1040

1040 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2025-66556 Nextcloud talk allows participants to blindly delete poll drafts of other users by ID — security-advisories 3.5 Low2025-12-05
CVE-2025-66553 Nextcloud Tables app allowed users to view columns metadata information of any table — security-advisories 4.3 Medium2025-12-05
CVE-2025-66551 Nextcloud Tables is missing an ownership check which allows moving columns into tables of other users — security-advisories 6.3 Medium2025-12-05
CVE-2025-66513 Nextcloud Tables app share information not limited to relevant users — security-advisories 4.3 Medium2025-12-05
CVE-2025-66546 Nextcloud Calendar app allowed booking appointments without the generated token — security-advisories 3.3 Low2025-12-05
CVE-2025-66547 Nextcloud Server users can modify tags on files that do not belong to them — security-advisories 4.3 Medium2025-12-05
CVE-2025-13932 SolisCloud Monitoring Platform 安全漏洞 — Monitoring Platform (Cloud API & Device Control API) 4.3AIMediumAI2025-12-04
CVE-2025-12997 Medtronic CareLink Network 安全漏洞 — CareLink Network 2.2 Low2025-12-04
CVE-2025-13109 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' — HUSKY – Products Filter Professional for WooCommerce 4.3 Medium2025-12-03
CVE-2025-41086 Authorization bypass in GAMS from GAMS Development Corp. — GAMS 8.1AIHighAI2025-12-02
CVE-2025-66306 Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel — grav 4.3 Medium2025-12-01
CVE-2025-13615 StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change — StreamTube Core 9.8 Critical2025-11-30
CVE-2025-13768 Uniong|WebITR - Authorization Bypass — WebITR 7.5 High2025-11-28
CVE-2025-13157 QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update — QODE Wishlist for WooCommerce 5.3 Medium2025-11-27
CVE-2025-13382 Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming — Frontend File Manager Plugin 4.3 Medium2025-11-25
CVE-2025-13389 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure — Admin and Customer Messages After Order for WooCommerce: OrderConvo 5.3 Medium2025-11-25
CVE-2025-12040 Wishlist for WooCommerce <= 1.1.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation — Wishlist for WooCommerce 6.5 Medium2025-11-25
CVE-2025-13452 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages — Admin and Customer Messages After Order for WooCommerce: OrderConvo 4.3 Medium2025-11-25
CVE-2025-10039 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client' — ELEX WordPress HelpDesk & Customer Ticketing System 4.3 Medium2025-11-21
CVE-2025-12881 Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read — Return Refund and Exchange For WooCommerce 5.4 Medium2025-11-21
CVE-2025-12086 Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation — Return Refund and Exchange For WooCommerce 4.3 Medium2025-11-21
CVE-2025-65034 Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId — rallly 8.1 High2025-11-19
CVE-2025-65032 Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names — rallly 6.5 Medium2025-11-19
CVE-2025-12766 Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of affected versions of BlackBerry AtHoc. — BlackBerry® AtHoc® (OnPrem) 5.0 Medium2025-11-19
CVE-2025-12427 YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename — YITH WooCommerce Wishlist 5.3 Medium2025-11-19
CVE-2025-12524 Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change — Post Type Switcher 5.4 Medium2025-11-18
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation — Brokerage Automation 8.1 High2025-11-14
CVE-2025-64706 Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure — typebot.io 5.0 Medium2025-11-13
CVE-2025-41069 Insecure Direct Object References (IDOR) in DeporSite of T-Innova DeporSite — DSuite 2025 8.1 -2025-11-13
CVE-2025-12366 Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference — Page Builder: Pagelayer – Drag and Drop website builder 4.3 Medium2025-11-13

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1040 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.