Total
656 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | ||||
| CVE-2018-17455 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 7.5 High |
| An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. | ||||
| CVE-2018-16971 | 1 Wisetail | 1 Learning Management System | 2024-08-05 | N/A |
| Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter. | ||||
| CVE-2018-16704 | 1 Gleeztech | 1 Gleezcms | 2024-08-05 | N/A |
| An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org. | ||||
| CVE-2018-16608 | 1 Monstra | 1 Monstra | 2024-08-05 | N/A |
| In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | ||||
| CVE-2018-16606 | 1 Proconf | 1 Proconf | 2024-08-05 | N/A |
| In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). | ||||
| CVE-2018-15833 | 1 Vanillaforums | 1 Vanilla Forums | 2024-08-05 | N/A |
| In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items). | ||||
| CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2024-08-05 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | ||||
| CVE-2019-20209 | 1 Cththemes | 3 Citybook, Easybook, Townhub | 2024-08-05 | 7.5 High |
| The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | ||||
| CVE-2019-19946 | 1 Dradisframework | 1 Dradis | 2024-08-05 | 6.5 Medium |
| The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. | ||||
| CVE-2019-19866 | 1 Atos | 1 Unify Openscape Uc Web Client | 2024-08-05 | 7.5 High |
| Atos Unify OpenScape UC Web Client V9 before version V9 R4.31.0 and V10 before version V10 R0.6.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs. | ||||
| CVE-2019-19616 | 1 Xtivia | 1 Web Time And Expense | 2024-08-05 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function. | ||||
| CVE-2019-19259 | 1 Gitlab | 1 Gitlab | 2024-08-05 | 4.3 Medium |
| GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | ||||
| CVE-2019-18998 | 1 Hitachienergy | 1 Asset Suite | 2024-08-05 | 7.1 High |
| Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. | ||||
| CVE-2019-18626 | 1 Harriscomputer | 1 Ormed Mis | 2024-08-05 | 4.3 Medium |
| Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more. | ||||
| CVE-2019-17605 | 1 Eyecomms | 1 Eyecms | 2024-08-05 | 8.8 High |
| A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via a modified candidate id and an additional password parameter. The outcome is that the password of this other candidate is changed. | ||||
| CVE-2019-17604 | 1 Eyecomms | 1 Eyecms | 2024-08-05 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to change other candidates' personal information (first name, last name, email, CV, phone number, and all other personal information) by changing the value of the candidate id (the id parameter). | ||||
| CVE-2019-17574 | 1 Code-atlantic | 1 Popup Maker | 2024-08-05 | 9.1 Critical |
| An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file"). | ||||
| CVE-2019-17382 | 1 Zabbix | 1 Zabbix | 2024-08-05 | 9.1 Critical |
| An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. | ||||
| CVE-2019-17050 | 1 Thecontrolgroup | 1 Voyager | 2024-08-05 | 7.2 High |
| An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment. | ||||