Total
657 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13998 | 1 Citrix | 1 Xenapp | 2024-08-04 | 5.3 Medium |
| Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2024-08-04 | 5.3 Medium |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | ||||
| CVE-2020-13700 | 1 Acf To Rest Api Project | 1 Acf To Rest Api | 2024-08-04 | 7.5 High |
| An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. | ||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2024-08-04 | 5.7 Medium |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | ||||
| CVE-2020-13357 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 4.3 Medium |
| An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project. | ||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-08-04 | 4.3 Medium |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | ||||
| CVE-2020-11658 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-08-04 | 9.8 Critical |
| CA API Developer Portal 4.3.1 and earlier handles shared secret keys in an insecure manner, which allows attackers to bypass authorization. | ||||
| CVE-2020-11659 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-08-04 | 4.3 Medium |
| CA API Developer Portal 4.3.1 and earlier contains an access control flaw that allows privileged users to perform a restricted user administration action. | ||||
| CVE-2020-11589 | 1 Cipplanner | 1 Cipace | 2024-08-04 | 7.5 High |
| An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only. | ||||
| CVE-2020-11585 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-08-04 | 4.3 Medium |
| There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter. | ||||
| CVE-2020-11009 | 1 Pagerduty | 1 Rundeck | 2024-08-04 | 6.5 Medium |
| In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6 | ||||
| CVE-2020-9384 | 1 Subex | 1 Roc Partner Settlement | 2024-08-04 | 8.8 High |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the application | ||||
| CVE-2020-10779 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-08-04 | 6.5 Medium |
| Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms. | ||||
| CVE-2020-9468 | 1 Piwigo | 1 Piwigo | 2024-08-04 | 4.3 Medium |
| The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | ||||
| CVE-2020-8791 | 1 Oklok Project | 1 Oklok | 2024-08-04 | 6.5 Medium |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs. | ||||
| CVE-2020-8503 | 1 Biscom | 1 Secure File Transfer | 2024-08-04 | 6.5 Medium |
| Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004. | ||||
| CVE-2020-8297 | 1 Nextcloud | 1 Deck | 2024-08-04 | 4.3 Medium |
| Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. | ||||
| CVE-2020-8235 | 1 Nextcloud | 1 Deck | 2024-08-04 | 4.3 Medium |
| Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments. | ||||
| CVE-2020-8154 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-04 | 7.7 High |
| An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | ||||
| CVE-2020-7918 | 1 Totemo | 1 Totemomail | 2024-08-04 | 5.4 Medium |
| An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. | ||||