Total
455 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | |||||
| CVE-2019-13337 | 1 Weseek | 1 Growi | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | |||||
| CVE-2019-15725 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information. | |||||
| CVE-2018-19584 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | |||||
| CVE-2018-18976 | 1 Ascensia | 1 Contour Diabetes | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.) | |||||
| CVE-2019-7854 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | |||||
| CVE-2019-16403 | 1 Webkul | 1 Bagisto | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. | |||||
| CVE-2019-5966 | 1 Joruri | 1 Joruri Mail | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
| Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | |||||
| CVE-2019-12782 | 1 Thoughtspot | 1 Thoughtspot | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | |||||
| CVE-2019-9219 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | |||||
| CVE-2019-13360 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | |||||
| CVE-2019-10108 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels. | |||||
| CVE-2019-7950 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information. | |||||
| CVE-2019-13461 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. | |||||
| CVE-2019-9756 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732. | |||||
| CVE-2019-12866 | 1 Jetbrains | 1 Youtrack | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168. | |||||
| CVE-2018-19582 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user. | |||||
| CVE-2019-7890 | 1 Magento | 1 Magento | 2024-02-04 | 7.5 HIGH | 7.3 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. | |||||
| CVE-2019-14245 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-02-04 | 5.5 MEDIUM | 6.5 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. | |||||
| CVE-2019-6716 | 1 Logonbox | 1 Nervepoint Access Manager | 2024-02-04 | 7.5 HIGH | 9.4 CRITICAL |
| An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a remote attacker to enumerate internal Active Directory usernames and group names, and alter back-end server jobs (backup and synchronization jobs), which could allow for the possibility of a Denial of Service attack via a modified jobId parameter in a runJob.html GET request. | |||||