Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
The vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key) involves the application using a user-controlled value as a key to make authorization decisions. An attacker can conduct a Parameter Injection attack by modifying request parameters in such a way as to gain access to resources or functions for which they normally do not have permissions. The attack vector is network-based (AV:N), does not require victim interaction or high privileges (a regular user account is sufficient), and the attack scope covers components beyond the application itself (S:C).
An attacker with a basic account in the system can bypass access control mechanisms, gaining unauthorized access to other users' data or sensitive system resources, and potentially modifying data and disrupting application functionality.
Patches available from the manufacturer should be applied according to the references. It should be noted that the manufacturer did not respond to contact attempts as part of responsible vulnerability disclosure, which may indicate that no fix is available — in such case, it is recommended to consider disabling or isolating the application until a patch is released.
CVLand by CB Project Ltd. Co. in versions from 2.1.0 to 20251103 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L