CVEbaza.plSłownik CWECWE-566
Common Weakness Enumeration

CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key

Kategoria: VariantCVE: 8
Opis

Produkt używa tabeli bazy danych zawierającej rekordy, które nie powinny być dostępne dla danego aktora, jednak wykonuje instrukcję SQL z głównym kluczem, który może być kontrolowany przez tego aktora. Umożliwia to nieautoryzowany dostęp do chronionych danych poprzez manipulację wartością klucza głównego.

Description (EN)

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Podatności CVE z CWE-566 (8)
9.8
CVSS
CRITICAL
CVE-2025-9953

Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection. This issue affects Databank Accreditation Software: before 2026/04.

pub. 2026-02-19
9.1
CVSS
CRITICAL
CVE-2014-0808

Authorization bypass through user-controlled key issue exists in EC-CUBE 2.11.0 through 2.12.2 and EC-Orange systems deployed before June 29th, 2015. If this vulnerability is exploited, a user of the affected shopping website may obtain other users' information by sending a crafted HTTP request.

pub. 2014-01-22
7.1
CVSS
HIGH
CVE-2025-61781

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue.

pub. 2026-01-05
6.5
CVSS
MEDIUM
CVE-2026-21886

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.

pub. 2026-03-17
3.8
CVSS
LOW
CVE-2025-56556

W Subrion CMS 4.2.1 wykryto lukę umożliwiającą administratorom i moderatorom z dostępem do wbudowanej funkcji Run SQL Query w panelu administracyjnym SQL Tool uzyskanie eskalacji uprawnień w kontekście narzędzia SQL query.

pub. 2025-09-11
2.7
CVSS
LOW
CVE-2025-30368

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

pub. 2025-03-31
2.7
CVSS
LOW
CVE-2025-30369

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.

pub. 2025-03-31
2.7
CVSS
LOW
CVE-2024-22261

SQL-Injection in Harbor allows priviledge users to leak the task IDs

pub. 2024-06-11
Informacje
ID: CWE-566
Typ: Variant
Podatności: 8
MITRE CWE ↗
← Słownik CWE