Total
455 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-8503 | 1 Biscom | 1 Secure File Transfer | 2024-02-04 | 3.5 LOW | 6.5 MEDIUM |
Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004. | |||||
CVE-2014-8356 | 1 Dasanzhone | 2 Znid 2426a, Znid 2426a Firmware | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference. | |||||
CVE-2019-19866 | 1 Atos | 1 Unify Openscape Uc Web Client | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs. | |||||
CVE-2019-20209 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-02-04 | 6.4 MEDIUM | 7.5 HIGH |
The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | |||||
CVE-2019-19259 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | |||||
CVE-2019-16723 | 1 Cacti | 1 Cacti | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. | |||||
CVE-2019-15815 | 1 Zyxel | 2 2.00\(abbx.3\), P-1302-t10d | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges. | |||||
CVE-2020-5539 | 1 Grandit | 1 Grandit | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and then alter or disclose the information via unspecified vectors. | |||||
CVE-2019-17604 | 1 Eyecomms | 1 Eyecms | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to change other candidates' personal information (first name, last name, email, CV, phone number, and all other personal information) by changing the value of the candidate id (the id parameter). | |||||
CVE-2019-15913 | 1 Mi | 10 Dgnwg03lm, Dgnwg03lm Firmware, Mccgq01lm and 7 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages. | |||||
CVE-2019-15582 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment. | |||||
CVE-2019-17574 | 1 Code-atlantic | 1 Popup Maker | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file"). | |||||
CVE-2019-15581 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | |||||
CVE-2019-19616 | 1 Xtivia | 1 Web Time And Expense | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function. | |||||
CVE-2019-8235 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input. | |||||
CVE-2019-5466 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. | |||||
CVE-2020-6859 | 1 Ultimatemember | 1 Ultimate Member | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image. | |||||
CVE-2019-16340 | 1 Linksys | 6 Velop Whw0301, Velop Whw0301 Firmware, Velop Whw0302 and 3 more | 2024-02-04 | 6.4 MEDIUM | 9.8 CRITICAL |
Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. | |||||
CVE-2019-17050 | 1 Thecontrolgroup | 1 Voyager | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment. | |||||
CVE-2019-5469 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.5 MEDIUM | 6.5 MEDIUM |
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets. |