Total
543 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-19575 | 1 Gitlab | 1 Gitlab | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. | |||||
CVE-2018-16971 | 1 Wisetail | 1 Learning Management System | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter. | |||||
CVE-2018-1000210 | 1 Yamldotnet Project | 1 Yamldotnet | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0. | |||||
CVE-2018-16704 | 1 Gleeztech | 1 Gleezcms | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org. | |||||
CVE-2018-16606 | 1 Proconf | 1 Proconf | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). | |||||
CVE-2018-16608 | 1 Monstra | 1 Monstra | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | |||||
CVE-2018-15833 | 1 Vanillaforums | 1 Vanilla Forums | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items). | |||||
CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | |||||
CVE-2017-0936 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-04 | 4.9 MEDIUM | 5.7 MEDIUM |
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user. | |||||
CVE-2017-15197 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. | |||||
CVE-2017-15206 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. | |||||
CVE-2017-15209 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. | |||||
CVE-2017-15200 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user. | |||||
CVE-2017-15211 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | |||||
CVE-2017-15208 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. | |||||
CVE-2017-15199 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description. | |||||
CVE-2017-15196 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user. | |||||
CVE-2017-15207 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | |||||
CVE-2017-15203 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | |||||
CVE-2017-15204 | 1 Kanboard | 1 Kanboard | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. |