Total
657 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12866 | 1 Jetbrains | 1 Youtrack | 2024-08-04 | N/A |
| An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168. | ||||
| CVE-2019-12782 | 1 Thoughtspot | 1 Thoughtspot | 2024-08-04 | N/A |
| An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | ||||
| CVE-2019-12742 | 1 Bludit | 1 Bludit | 2024-08-04 | N/A |
| Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter). | ||||
| CVE-2019-12252 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-08-04 | 6.5 Medium |
| In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | ||||
| CVE-2019-10108 | 1 Gitlab | 1 Gitlab | 2024-08-04 | N/A |
| An Incorrect Access Control (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. It allowed non-members of a private project/group to add and read labels. | ||||
| CVE-2019-9938 | 1 Ushareit | 1 Shareit | 2024-08-04 | N/A |
| The SHAREit application before 4.0.42 for Android allows a remote attacker (on the same network or joining public "open" Wi-Fi hotspots created by the application when file transfer is initiated) to download arbitrary files from the device including contacts, photos, videos, sound clips, etc. The attacker must be authenticated as a "recognized device." | ||||
| CVE-2019-9921 | 1 Harmistechnology | 1 Je Messenger | 2024-08-04 | 6.5 Medium |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to read information that should only be accessible by a different user. | ||||
| CVE-2019-9756 | 1 Gitlab | 1 Gitlab | 2024-08-04 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732. | ||||
| CVE-2019-9219 | 1 Gitlab | 1 Gitlab | 2024-08-04 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | ||||
| CVE-2019-9170 | 1 Gitlab | 1 Gitlab | 2024-08-04 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. | ||||
| CVE-2019-8235 | 1 Magento | 1 Magento | 2024-08-04 | 6.5 Medium |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input. | ||||
| CVE-2019-7950 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information. | ||||
| CVE-2019-7925 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder. | ||||
| CVE-2019-7872 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details. | ||||
| CVE-2019-7864 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An insecure direct object reference (IDOR) vulnerability exists in the RSS feeds of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. | ||||
| CVE-2019-7890 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details. | ||||
| CVE-2019-7854 | 1 Magento | 1 Magento | 2024-08-04 | N/A |
| An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details. | ||||
| CVE-2019-6716 | 1 Logonbox | 1 Nervepoint Access Manager | 2024-08-04 | N/A |
| An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket Core in LogonBox Nervepoint Access Manager 2013 through 2017 allows a remote attacker to enumerate internal Active Directory usernames and group names, and alter back-end server jobs (backup and synchronization jobs), which could allow for the possibility of a Denial of Service attack via a modified jobId parameter in a runJob.html GET request. | ||||
| CVE-2019-5966 | 1 Joruri | 1 Joruri Mail | 2024-08-04 | N/A |
| Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | ||||
| CVE-2019-5466 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names. | ||||