Total
543 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28986 | 1 Lmsdoctor | 1 2 Factor Authentication | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts. | |||||
| CVE-2022-0624 | 1 Parse-path Project | 1 Parse-path | 2024-02-04 | 7.5 HIGH | 7.3 HIGH |
| Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0. | |||||
| CVE-2022-25471 | 1 Open-emr | 1 Openemr | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | |||||
| CVE-2022-1165 | 1 Plugin-planet | 1 Blackhole For Bad Bots | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more. | |||||
| CVE-2022-29287 | 1 Kentico | 1 Kentico | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password). | |||||
| CVE-2022-1810 | 1 Publify Project | 1 Publify | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9. | |||||
| CVE-2022-0686 | 1 Url-parse Project | 1 Url-parse | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. | |||||
| CVE-2022-31295 | 1 Online Discussion Forum Site Project | 1 Online Discussion Forum Site | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete posts. | |||||
| CVE-2022-2243 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. | |||||
| CVE-2022-0512 | 1 Url-parse Project | 1 Url-parse | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. | |||||
| CVE-2022-1996 | 2 Fedoraproject, Go-restful Project | 2 Fedora, Go-restful | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. | |||||
| CVE-2022-1614 | 1 Wp-email Project | 1 Wp-email | 2024-02-04 | 4.3 MEDIUM | 7.5 HIGH |
| The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions. | |||||
| CVE-2022-27108 | 1 Orangehrm | 1 Orangehrm | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | |||||
| CVE-2022-22331 | 1 Ibm | 1 Partner Engagement Manager | 2024-02-04 | 5.5 MEDIUM | 7.1 HIGH |
| IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130. | |||||
| CVE-2022-26254 | 1 Wowonder | 1 Wowonder | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names. | |||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | |||||
| CVE-2021-24800 | 1 Designwall | 1 Dw Question \& Answer | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. | |||||
| CVE-2022-31883 | 1 Marvalglobal | 1 Marval Msm | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
| Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference (IDOR) vulnerability. A low privilege user is able to see other users API Keys including the Admins API Keys. | |||||
| CVE-2021-38362 | 1 Rsa | 1 Archer | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. | |||||
| CVE-2022-27247 | 1 Cdsoft | 1 Winhotel.mx | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer (e.g., data of birth, full address, mail information, and phone number) via GastKont Insecure Direct Object Reference. | |||||