CVE-2022-36539
Published: 07 September 2022
Summary
CVE-2022-36539 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Eigen\&Wijzer Ouderapp Project Eigen\&Wijzer Ouderapp. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-36539 is an insecure direct object reference vulnerability (CWE-639) affecting WeDayCare B.V Ouderapp versions prior to 1.1.22. The flaw resides in the application's handling of API or network calls, where user-controlled ID parameters are not properly validated against the authenticated session, enabling unauthorized data access with a CVSS 3.1 score of 7.5.
An unauthenticated attacker who can intercept the application's network traffic can modify ID values in requests to retrieve sensitive information belonging to other parents and children. The attack requires no credentials or user interaction and can be performed remotely over the network.
Public references consist of the affected iOS App Store listing and a GitHub repository containing the CVE details; no vendor advisory or patch information is provided in the available sources. The EPSS score has remained flat at 0.0651 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39246
Vulnerability details
WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.