Total
543 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4226 | 1 Rsjoomla | 1 Rsfirewall\! | 2024-02-04 | N/A | 9.8 CRITICAL |
| RSFirewall tries to identify the original IP address by looking at different HTTP headers. A bypass is possible due to the way it is implemented. | |||||
| CVE-2022-4239 | 2024-02-04 | N/A | 6.5 MEDIUM | ||
| The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id. | |||||
| CVE-2022-3511 | 1 Getawesomesupport | 1 Awesome Support | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector | |||||
| CVE-2022-3930 | 1 Wpwax | 1 Directorist | 2024-02-04 | N/A | 6.5 MEDIUM |
| The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. | |||||
| CVE-2022-43492 | 1 Gvectors | 1 Wpdiscuz | 2024-02-04 | N/A | 8.8 HIGH |
| Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress. | |||||
| CVE-2022-4812 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2023-0882 | 2 Krontech, Microsoft | 2 Single Connect, Windows | 2024-02-04 | N/A | 8.8 HIGH |
| Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. | |||||
| CVE-2023-28109 | 1 Play-with-docker | 1 Play With Docker | 2024-02-04 | N/A | 6.5 MEDIUM |
| Play With Docker is a browser-based Docker playground. Versions 0.0.2 and prior are vulnerable to domain hijacking. Because CORS configuration was not correct, an attacker could use `play-with-docker.com` as an example and set the origin header in an http request as `evil-play-with-docker.com`. The domain would echo in response header, which successfully bypassed the CORS policy and retrieved basic user information. This issue has been fixed in commit ed82247c9ab7990ad76ec2bf1498c2b2830b6f1a. There are no known workarounds. | |||||
| CVE-2022-3995 | 1 Standalonetech | 1 Terawallet | 2024-02-04 | N/A | 4.3 MEDIUM |
| The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3. This is due to insufficient validation of the user-controlled key on the lock_unlock_terawallet AJAX action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to lock/unlock other users wallets. | |||||
| CVE-2022-24187 | 1 Sz-fujia | 1 Ourphoto | 2024-02-04 | N/A | 7.5 HIGH |
| The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users. | |||||
| CVE-2022-4811 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1. | |||||
| CVE-2022-3805 | 2024-02-04 | N/A | 7.5 HIGH | ||
| The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements. | |||||
| CVE-2022-4806 | 1 Usememos | 1 Memos | 2024-02-04 | N/A | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | |||||
| CVE-2022-30852 | 1 Withknown | 1 Known | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR). | |||||
| CVE-2022-3282 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. | |||||
| CVE-2022-40206 | 1 Gvectors | 1 Wpforo Forum | 2024-02-04 | N/A | 4.3 MEDIUM |
| Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public. | |||||
| CVE-2022-34621 | 1 Mealie | 1 Mealie | 2024-02-04 | N/A | 6.5 MEDIUM |
| Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter. | |||||
| CVE-2022-39945 | 1 Fortinet | 1 Fortimail | 2024-02-04 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR). | |||||
| CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2024-02-04 | N/A | 6.5 MEDIUM |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | |||||
| CVE-2022-1245 | 1 Redhat | 1 Keycloak | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | |||||