Common Weakness Enumeration

CWE-650

Allowed

Trusting HTTP Permission Methods on the Server Side

Abstraction: Variant · Status: Incomplete

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.

20 vulnerabilities reference this CWE, most recent first.

CVE-2022-38115 (GCVE-0-2022-38115)

Vulnerability from cvelistv5 – Published: 2022-11-23 00:00 – Updated: 2025-04-24 19:20
VLAI
Title
Insecure Methods Vulnerability
Summary
Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
SolarWinds SolarWinds SEM Affected: 2022.2 and previous versions , < 2022.4 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:45:52.561Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T19:20:39.443430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T19:20:55.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SolarWinds SEM ",
          "vendor": "SolarWinds ",
          "versions": [
            {
              "lessThan": "2022.4 ",
              "status": "affected",
              "version": "2022.2 and previous versions ",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInsecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\u003c/p\u003e"
            }
          ],
          "value": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-650",
              "description": "CWE-650",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-03T18:00:13.291Z",
        "orgId": "49f11609-934d-4621-84e6-e02e032104d6",
        "shortName": "SolarWinds"
      },
      "references": [
        {
          "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
        },
        {
          "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\u003c/p\u003e"
            }
          ],
          "value": "SolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\n\n"
        }
      ],
      "source": {
        "advisory": "CVE-2022-38115",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Methods Vulnerability",
      "x_generator": {
        "engine": "vulnogram 0.1.0-rc1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
    "assignerShortName": "SolarWinds",
    "cveId": "CVE-2022-38115",
    "datePublished": "2022-11-23T00:00:00.000Z",
    "dateReserved": "2022-08-09T00:00:00.000Z",
    "dateUpdated": "2025-04-24T19:20:55.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-3RF8-MGFC-9VFP

Vulnerability from github – Published: 2026-07-15 00:31 – Updated: 2026-07-15 00:31
VLAI
Details

A vulnerability was determined in zhinianboke xianyu-auto-reply on Server. Affected by this vulnerability is an unknown functionality of the file /api/v1/payment/withdraw/review?action=approve. Executing a manipulation can lead to trusting http permission methods on the server side. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 19fc3282a1bb78a05c34945c088525d20e081cbd. It is best practice to apply a patch to resolve this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T23:17:29Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was determined in zhinianboke xianyu-auto-reply on Server. Affected by this vulnerability is an unknown functionality of the file /api/v1/payment/withdraw/review?action=approve. Executing a manipulation can lead to trusting http permission methods on the server side. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 19fc3282a1bb78a05c34945c088525d20e081cbd. It is best practice to apply a patch to resolve this issue.",
  "id": "GHSA-3rf8-mgfc-9vfp",
  "modified": "2026-07-15T00:31:43Z",
  "published": "2026-07-15T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zhinianboke/xianyu-auto-reply/issues/192"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zhinianboke/xianyu-auto-reply/commit/19fc3282a1bb78a05c34945c088525d20e081cbd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zhinianboke/xianyu-auto-reply"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15753"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/856719"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/378335"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/378335/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3WWX-RQJR-VJCC

Vulnerability from github – Published: 2024-10-08 06:30 – Updated: 2024-10-08 06:30
VLAI
Details

Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Fields which are in \u0027read only\u0027 state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.",
  "id": "GHSA-3wwx-rqjr-vjcc",
  "modified": "2024-10-08T06:30:47Z",
  "published": "2024-10-08T06:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45282"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3251893"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4528-VMXJ-V97W

Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2022-11-28 18:30
VLAI
Details

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT",
  "id": "GHSA-4528-vmxj-v97w",
  "modified": "2022-11-28T18:30:15Z",
  "published": "2022-11-23T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38115"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-459M-QJWC-XV42

Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30
VLAI
Details

IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification. IBM X-Force ID: 275109.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T01:15:07Z",
    "severity": "MODERATE"
  },
  "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification.  IBM X-Force ID:  275109.\n\n",
  "id": "GHSA-459m-qjwc-xv42",
  "modified": "2024-02-02T03:30:32Z",
  "published": "2024-02-02T03:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50327"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275109"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7113759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q69-34VJ-QHX4

Vulnerability from github – Published: 2024-09-05 18:30 – Updated: 2024-09-05 18:30
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.",
  "id": "GHSA-5q69-34vj-qhx4",
  "modified": "2024-09-05T18:30:56Z",
  "published": "2024-09-05T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45097"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7167255"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q683-6JPM-44V4

Vulnerability from github – Published: 2024-09-05 18:30 – Updated: 2024-09-05 18:30
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.",
  "id": "GHSA-q683-6jpm-44v4",
  "modified": "2024-09-05T18:30:56Z",
  "published": "2024-09-05T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45098"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7167255"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJVG-GX5P-355W

Vulnerability from github – Published: 2025-08-04 21:30 – Updated: 2025-08-04 21:30
VLAI
Details

Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-04T19:15:30Z",
    "severity": "HIGH"
  },
  "details": "Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.",
  "id": "GHSA-qjvg-gx5p-355w",
  "modified": "2025-08-04T21:30:42Z",
  "published": "2025-08-04T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21120"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000347698/dsa-2025-271-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9GH-MC2W-WRG3

Vulnerability from github – Published: 2024-04-04 18:30 – Updated: 2024-04-04 18:30
VLAI
Details

IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request. IBM X-Force ID: 286584.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T18:15:14Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request.  IBM X-Force ID:  286584.",
  "id": "GHSA-w9gh-mc2w-wrg3",
  "modified": "2024-04-04T18:30:33Z",
  "published": "2024-04-04T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28787"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/286584"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7145828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCF4-WW3V-C58X

Vulnerability from github – Published: 2025-08-07 17:34 – Updated: 2025-08-14 21:31
VLAI
Details

IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-07T16:15:29Z",
    "severity": "LOW"
  },
  "details": "IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7\u00a0could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration.",
  "id": "GHSA-xcf4-ww3v-c58x",
  "modified": "2025-08-14T21:31:57Z",
  "published": "2025-08-07T17:34:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56339"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7239955"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
System Configuration

Configure ACLs on the server side to ensure that proper level of access control is defined for each accessible resource representation.

No CAPEC attack patterns related to this CWE.