CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2025-34436	AVideo < 20.1 IDOR Arbitrary File Upload — AVideo	6.5^AI	Medium^AI	2025-12-17
CVE-2025-14101	IDOR in GG Soft's PaperWork — PaperWork	7.1	High	2025-12-17
CVE-2025-11924	Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token — Ninja Forms – The Contact Form Builder That Grows With You	7.5	High	2025-12-17
CVE-2025-13474	IDOR in Menulux Software's Mobile App — Mobile App	7.5	High	2025-12-16
CVE-2025-68071	WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability — Essential Real Estate	6.5	Medium	2025-12-16
CVE-2025-67985	WordPress Document Library Lite plugin <= 1.1.7 - Insecure Direct Object References (IDOR) vulnerability — Document Library Lite	5.3	Medium	2025-12-16
CVE-2025-66132	WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability — FAPI Member	5.3	Medium	2025-12-16
CVE-2025-58137	Apache Fineract: IDOR via self-service API — Apache Fineract	7.5^AI	High^AI	2025-12-12
CVE-2025-14356	Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF — Ultra Addons for Contact Form 7	4.3	Medium	2025-12-12
CVE-2025-61950	Japan Total System多款产品安全漏洞 — GroupSession Free edition	4.3^AI	Medium^AI	2025-12-12
CVE-2025-12883	Campay Woocommerce Payment Gateway <= 1.2.2 - Unauthenticated Payment Bypass — Campay Woocommerce Payment Gateway	5.3	Medium	2025-12-12
CVE-2025-13124	IDOR in Netiket''s ApplyLogic — ApplyLogic	7.6	High	2025-12-11
CVE-2025-13003	IDOR in Aksis Computer's AxOnboard — AxOnboard	7.6	High	2025-12-11
CVE-2025-11247	Authorization Bypass Through User-Controlled Key in GitLab — GitLab	4.3	Medium	2025-12-11
CVE-2020-36895	EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure — i-Media Server Digital Signage	9.8^AI	Critical^AI	2025-12-10
CVE-2025-13125	IDOR in Im Park's DijiDemi — DijiDemi	4.3	Medium	2025-12-10
CVE-2025-41358	Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A — CronosWeb	6.5^AI	Medium^AI	2025-12-10
CVE-2025-63065	WordPress Media LIbrary Assistant plugin <= 3.29 - Broken Access Control vulnerability — Media LIbrary Assistant	5.3	Medium	2025-12-09
CVE-2025-67594	WordPress Thim Elementor Kit plugin <= 1.3.3 - Insecure Direct Object References (IDOR) vulnerability — Thim Elementor Kit	4.3	Medium	2025-12-09
CVE-2025-64497	Tuleap exposes releases for all projects to File Release System project administrators — tuleap	6.5	Medium	2025-12-08
CVE-2025-13748	Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	5.3	Medium	2025-12-06
CVE-2025-66558	Nextcloud Twofactor WebAuthn app was updated based on public key — security-advisories	3.1	Low	2025-12-05
CVE-2025-66556	Nextcloud talk allows participants to blindly delete poll drafts of other users by ID — security-advisories	3.5	Low	2025-12-05
CVE-2025-66553	Nextcloud Tables app allowed users to view columns metadata information of any table — security-advisories	4.3	Medium	2025-12-05
CVE-2025-66551	Nextcloud Tables is missing an ownership check which allows moving columns into tables of other users — security-advisories	6.3	Medium	2025-12-05
CVE-2025-66513	Nextcloud Tables app share information not limited to relevant users — security-advisories	4.3	Medium	2025-12-05
CVE-2025-66546	Nextcloud Calendar app allowed booking appointments without the generated token — security-advisories	3.3	Low	2025-12-05
CVE-2025-66547	Nextcloud Server users can modify tags on files that do not belong to them — security-advisories	4.3	Medium	2025-12-05
CVE-2025-13932	SolisCloud Monitoring Platform 安全漏洞 — Monitoring Platform (Cloud API & Device Control API)	4.3^AI	Medium^AI	2025-12-04
CVE-2025-12997	Medtronic CareLink Network 安全漏洞 — CareLink Network	2.2	Low	2025-12-04

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033