Total
655 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-29159 | 1 Nextcloud | 1 Deck | 2024-08-03 | 5 Medium |
| Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available. | ||||
| CVE-2022-28986 | 1 Lmsdoctor | 1 2 Factor Authentication | 2024-08-03 | 7.5 High |
| LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts. | ||||
| CVE-2022-29008 | 1 Phpgurukul | 1 Bus Pass Management System | 2024-08-03 | 6.5 Medium |
| An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information. | ||||
| CVE-2022-27247 | 1 Cdsoft | 1 Winhotel.mx | 2024-08-03 | 5.3 Medium |
| onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer (e.g., data of birth, full address, mail information, and phone number) via GastKont Insecure Direct Object Reference. | ||||
| CVE-2022-27108 | 1 Orangehrm | 1 Orangehrm | 2024-08-03 | 4.3 Medium |
| OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | ||||
| CVE-2022-26665 | 1 Tylertech | 1 Odyssey Portal | 2024-08-03 | 7.5 High |
| An Insecure Direct Object Reference issue exists in the Tyler Odyssey Portal platform before 17.1.20. This may allow an external party to access sensitive case records. | ||||
| CVE-2022-26254 | 1 Wowonder | 1 Wowonder | 2024-08-03 | 5.3 Medium |
| WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names. | ||||
| CVE-2022-25471 | 1 Open-emr | 1 Openemr | 2024-08-03 | 8.1 High |
| An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | ||||
| CVE-2022-25336 | 1 Ibexa | 1 Ez Platform Kernel | 2024-08-03 | 5.3 Medium |
| Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced. | ||||
| CVE-2022-24979 | 1 Mittwald | 1 Varnishcache | 2024-08-03 | 5.3 Medium |
| An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference (IDOR), with the potential of exposing internal content elements. | ||||
| CVE-2022-24401 | 1 Midnightblue | 1 Tetra\ | 2024-08-03 | 8.8 High |
| Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator. IV generation is based upon several TDMA frame counters, which are frequently broadcast by the infrastructure in an unauthenticated manner. An active adversary can manipulate the view of these counters in a mobile station, provoking keystream re-use. By sending crafted messages to the MS and analyzing MS responses, keystream for arbitrary frames can be recovered. | ||||
| CVE-2022-24187 | 1 Sz-fujia | 1 Ourphoto | 2024-08-03 | 7.5 High |
| The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users. | ||||
| CVE-2022-23856 | 1 Saviynt | 1 Enterprise Identity Cloud | 2024-08-03 | 5.3 Medium |
| An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. | ||||
| CVE-2022-22828 | 1 Synametrics | 1 Synaman | 2024-08-03 | 7.5 High |
| An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string. | ||||
| CVE-2022-22832 | 1 Servisnet | 1 Tessa | 2024-08-03 | 9.8 Critical |
| An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request. | ||||
| CVE-2022-21713 | 4 Fedoraproject, Grafana, Netapp and 1 more | 4 Fedora, Grafana, E-series Performance Analyzer and 1 more | 2024-08-03 | 4.3 Medium |
| Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | ||||
| CVE-2022-4811 | 1 Usememos | 1 Memos | 2024-08-03 | 8.3 High |
| Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1. | ||||
| CVE-2022-4803 | 1 Usememos | 1 Memos | 2024-08-03 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4799 | 1 Usememos | 1 Memos | 2024-08-03 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||
| CVE-2022-4812 | 1 Usememos | 1 Memos | 2024-08-03 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||||