Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5619 | 1 Apinizer | 1 Apinizer | 2024-08-01 | 9.6 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apinizer Management Console: before 2024.05.1. | ||||
| CVE-2024-5438 | 1 Themeum | 1 Tutor Lms | 2024-08-01 | 4.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts. | ||||
| CVE-2024-5166 | 2024-08-01 | 6.5 Medium | ||
| An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model. | ||||
| CVE-2024-4886 | 1 Buddyboss | 1 Buddyboss Platform | 2024-08-01 | 4.3 Medium |
| The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request | ||||
| CVE-2024-4874 | 1 Bricksbuilder | 1 Bricks | 2024-08-01 | 4.3 Medium |
| The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type. | ||||
| CVE-2024-4843 | 2024-08-01 | 4.3 Medium | ||
| ePO doesn't allow a regular privileged user to delete tasks or assignments. Insecure direct object references that allow a least privileged user to manipulate the client task and client task assignments, hence escalating his/her privilege. | ||||
| CVE-2024-4537 | 2024-08-01 | 7.5 High | ||
| IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain the download URL of another user to obtain the purchased ticket. | ||||
| CVE-2024-4538 | 2024-08-01 | 7.5 High | ||
| IDOR vulnerability in Janto Ticketing Software affecting version 4.3r10. This vulnerability could allow a remote user to obtain a user's event ticket by creating a specific request with the ticket reference ID, leading to the exposure of sensitive user data. | ||||
| CVE-2024-1470 | 2024-08-01 | 7.1 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in NetIQ (OpenText) Client Login Extension on Windows allows Privilege Escalation, Code Injection.This issue only affects NetIQ Client Login Extension: 4.6. | ||||
| CVE-2024-1313 | 1 Redhat | 1 Enterprise Linux | 2024-08-01 | 6.5 Medium |
| It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. | ||||
| CVE-2024-0580 | 1 Idmsistemas | 1 Sinergia | 2024-08-01 | 6.5 Medium |
| Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc. | ||||
| CVE-2024-0366 | 1 Squirrly | 1 Starbox | 2024-08-01 | 4.3 Medium |
| The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings. | ||||
| CVE-2024-0264 | 1 Oretnom23 | 1 Clinic Queuing System | 2024-08-01 | 7.3 High |
| A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820. | ||||