Cyber Resilience

CVE-2022-36539

HighPublic PoC

Published: 07 September 2022

Published
07 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0651 91.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36539 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Eigen\&Wijzer Ouderapp Project Eigen\&Wijzer Ouderapp. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-36539 is an insecure direct object reference vulnerability (CWE-639) affecting WeDayCare B.V Ouderapp versions prior to 1.1.22. The flaw resides in the application's handling of API or network calls, where user-controlled ID parameters are not properly validated against the authenticated session, enabling unauthorized data access with a CVSS 3.1 score of 7.5.

An unauthenticated attacker who can intercept the application's network traffic can modify ID values in requests to retrieve sensitive information belonging to other parents and children. The attack requires no credentials or user interaction and can be performed remotely over the network.

Public references consist of the affected iOS App Store listing and a GitHub repository containing the CVE details; no vendor advisory or patch information is provided in the available sources. The EPSS score has remained flat at 0.0651 with no observed increase after disclosure.

EU & UK References

Vulnerability details

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eigen\&wijzer ouderapp project
eigen\&wijzer ouderapp
≤ 1.1.22

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References