Total
543 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-15581 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | |||||
CVE-2019-19616 | 1 Xtivia | 1 Web Time And Expense | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function. | |||||
CVE-2019-8235 | 1 Magento | 1 Magento | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input. | |||||
CVE-2019-5466 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. | |||||
CVE-2020-6859 | 1 Ultimatemember | 1 Ultimate Member | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image. | |||||
CVE-2019-16340 | 1 Linksys | 6 Velop Whw0301, Velop Whw0301 Firmware, Velop Whw0302 and 3 more | 2024-02-04 | 6.4 MEDIUM | 9.8 CRITICAL |
Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to discover the recovery key via a direct request for the /sysinfo_json.cgi URI. | |||||
CVE-2019-17050 | 1 Thecontrolgroup | 1 Voyager | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment. | |||||
CVE-2019-5469 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.5 MEDIUM | 6.5 MEDIUM |
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets. | |||||
CVE-2019-16546 | 1 Jenkins | 1 Google Compute Engine | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | |||||
CVE-2019-13337 | 1 Weseek | 1 Growi | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | |||||
CVE-2019-15725 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information. | |||||
CVE-2018-19584 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | |||||
CVE-2018-18976 | 1 Ascensia | 1 Contour Diabetes | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.) | |||||
CVE-2019-7854 | 1 Magento | 1 Magento | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | |||||
CVE-2019-16403 | 1 Webkul | 1 Bagisto | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. | |||||
CVE-2019-5966 | 1 Joruri | 1 Joruri Mail | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | |||||
CVE-2019-12782 | 1 Thoughtspot | 1 Thoughtspot | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | |||||
CVE-2019-9219 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.3 MEDIUM | 3.7 LOW |
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | |||||
CVE-2019-13360 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username. | |||||
CVE-2019-10108 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels. |