Description
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.

This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.
Published: 2026-05-14
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR flaw in the Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi application, allowing an unauthorized user to supply a user‑controlled key that bypasses normal access controls. This flaw is identified as CWE‑639 and can lead to privilege abuse, granting access to data or operations that should be restricted to authenticated or authorized users.

Affected Systems

Affected instances are those running DijiDemi versions from v4.5.12.1 up to, but not including, v4.5.13.0 on the Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. product. Systems using the specified versions are vulnerable to this authorization bypass.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity with potential for significant impact. No EPSS value is published, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at the time of analysis. Based on the description, the likely attack vector involves a remote or network‑accessible endpoint that accepts a user‑controlled key; an attacker would need to supply a valid key to the system to exploit the IDOR, which is then exploited by the application’s insufficient authorization checks.

Generated by OpenCVE AI on May 14, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DijiDemi application to version 4.5.13.0 or later, which contains the fix for the authorization bypass.
  • Re‑implement authorization checks to ensure that any request containing a user‑controlled key first verifies that the requesting user owns or is permitted to use the key, thereby preventing indirect authorization bypass.
  • Conduct a code review and audit of all endpoints that accept user‑controlled identifiers, focusing on proper access‑control enforcement.

Generated by OpenCVE AI on May 14, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse. This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.
Title IDOR in Im Park's DijiDemi
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-14T13:48:41.525Z

Reserved: 2026-04-09T13:46:11.729Z

Link: CVE-2026-6008

cve-icon Vulnrichment

Updated: 2026-05-14T13:48:37.096Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T13:16:21.423

Modified: 2026-05-14T16:20:13.477

Link: CVE-2026-6008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses