Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1041

1041 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2024-10669 Countdown Timer block – Display the event's date into a timer. <= 1.2.4 - Authenticated (Contributor+) Post Disclosure — Countdown Timer Block – Animated Countdown for Events or Launches 4.3 Medium2024-11-09
CVE-2024-10667 Content Slider Block – Create fully functional slider with Gutenberg block <= 3.1.5 - Authenticated (Contributor+) Post Disclosure — Content Slider Block – Slide Through Text or Media Content 4.3 Medium2024-11-09
CVE-2024-10770 Envo Extra <= 1.9.3 - Authenticated (Contributor+) Post Disclosure — Envo Extra 4.3 Medium2024-11-09
CVE-2024-10693 SKT Addons for Elementor <= 3.3 - Authenticated (Contributor+) Post Disclosure — SKT Addons for Elementor 4.3 Medium2024-11-09
CVE-2024-10779 Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Contributor+) Post Disclosure — Cowidgets – Elementor Addons 5.3 Medium2024-11-09
CVE-2024-9262 User Meta – User Profile Builder and User management plugin <= 3.1.1 - Insecure Direct Object Reference to Sensitive Information Exposure — User Meta – User Profile Builder and User management plugin 6.5 Medium2024-11-09
CVE-2024-52313 data.all authenticated users can obtain incorrect object level authorizations — data.all 4.3 Medium2024-11-09
CVE-2024-51559 Improper Access Control Vulnerability in Wave 2.0 — Wave 2.0 4.3AIMediumAI2024-11-04
CVE-2024-37277 WordPress Paid Memberships Pro plugin <= 3.0.4 - Insecure Direct Object References (IDOR) vulnerability — Paid Memberships Pro 7.5 High2024-11-01
CVE-2024-10654 TOTOLINK LR350 formLoginAuth.htm authorization — LR350 5.3 Medium2024-11-01
CVE-2024-9700 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation — Forminator Forms – Contact Form, Payment Form & Custom Form Builder 5.3 Medium2024-10-31
CVE-2024-10452 Grafana 安全漏洞 — Grafana 2.2 Low2024-10-29
CVE-2024-7473 IDOR Vulnerability in lunary-ai/lunary — lunary-ai/lunary 4.3AIMediumAI2024-10-29
CVE-2024-7474 IDOR in lunary-ai/lunary — lunary-ai/lunary 7.1AIHighAI2024-10-29
CVE-2024-50483 WordPress Meetup plugin <= 0.1 - Broken Authentication vulnerability — Meetup 9.8 Critical2024-10-28
CVE-2024-10439 Sunnet eHRD CTMS - Insecure Direct Object Reference — eHRD CTMS 5.3 Medium2024-10-28
CVE-2024-9637 School Management System – WPSchoolPress <= 2.2.10 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation — School Management System – WPSchoolPress 8.8 High2024-10-26
CVE-2024-10121 wfh45678 Radar Interface authorization — Radar 7.3 High2024-10-18
CVE-2024-9263 WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover — Timetics – Appointment Booking & Scheduling 9.8 Critical2024-10-17
CVE-2024-9215 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover — Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors 8.8 High2024-10-17
CVE-2024-9862 Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change — Miniorange OTP Verification with Firebase 9.8 Critical2024-10-17
CVE-2024-8040 Authorization Bypass Through User-Controlled Key vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2024x — 3DSwymer 7.7 High2024-10-16
CVE-2023-7286 ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference — ACF Quick Edit Fields 6.5 Medium2024-10-16
CVE-2024-49388 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 16 8.2 -2024-10-15
CVE-2024-9687 WP 2FA with Telegram <= 3.0 - Authenticated (Subscriber+) Authentication Bypass — AuthPress 8.8 High2024-10-15
CVE-2024-47495 Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device. — Junos OS Evolved 6.7 Medium2024-10-11
CVE-2024-7041 IDOR in open-webui/open-webui — open-webui/open-webui 4.3AIMediumAI2024-10-09
CVE-2024-9554 Sovell Smart Canteen System Password Reset suanfa.py Check_ET_CheckPwdz201 authorization — Smart Canteen System 3.7 Low2024-10-06
CVE-2024-47316 WordPress Salon Booking Wordpress Plugin plugin <= 10.9 - Insecure Direct Object References (IDOR) vulnerability — Salon booking system 4.3 Medium2024-10-05
CVE-2024-47657 Improper Access Control Vulnerability — Net Back Office 6.5 -2024-10-04

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1041 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.