Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1107 | 1 Talyabilisim | 1 Travel Apps | 2024-09-16 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68. | ||||
| CVE-2017-15211 | 1 Kanboard | 1 Kanboard | 2024-09-16 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | ||||
| CVE-2023-49812 | 1 Wppa | 1 Wp Photo Album Plus | 2024-09-16 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005. | ||||
| CVE-2023-43668 | 1 Apache | 1 Inlong | 2024-09-16 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604 | ||||
| CVE-2017-15201 | 1 Kanboard | 1 Kanboard | 2024-09-16 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. | ||||
| CVE-2022-36284 | 1 Storeapps | 1 Affiliate For Woocommerce | 2024-09-16 | 6.4 Medium |
| Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page. | ||||
| CVE-2022-0732 | 1 1byte | 9 Copy9, Exactspy, Fonetracker and 6 more | 2024-09-16 | 7.5 High |
| The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | ||||
| CVE-2021-21022 | 1 Magento | 1 Magento | 2024-09-16 | 5.3 Medium |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. | ||||
| CVE-2021-21012 | 1 Adobe | 2 Magento Commerce, Magento Open Source | 2024-09-16 | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure. | ||||
| CVE-2022-29434 | 1 Spiffyplugins | 1 Spiffy Calendar | 2024-09-16 | 6.3 Medium |
| Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events. | ||||
| CVE-2020-36231 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-09-16 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2. | ||||
| CVE-2021-41301 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2024-09-16 | 9.8 Critical |
| ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. | ||||
| CVE-2017-15207 | 1 Kanboard | 1 Kanboard | 2024-09-16 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | ||||
| CVE-2017-15196 | 1 Kanboard | 1 Kanboard | 2024-09-16 | N/A |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user. | ||||
| CVE-2022-22331 | 1 Ibm | 1 Partner Engagement Manager | 2024-09-16 | 7.1 High |
| IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130. | ||||
| CVE-2021-36801 | 1 Akaunting | 1 Akaunting | 2024-09-16 | 8.1 High |
| Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product. | ||||
| CVE-2023-38201 | 3 Fedoraproject, Keylime, Redhat | 9 Fedora, Keylime, Enterprise Linux and 6 more | 2024-09-16 | 6.5 Medium |
| A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. | ||||
| CVE-2024-25270 | 1 Mirapolis | 1 Lms | 2024-09-13 | 4.3 Medium |
| An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data. | ||||
| CVE-2024-8158 | 1 9front | 2 9front, Lib9p | 2024-09-12 | 6.5 Medium |
| A bug in the 9p authentication implementation within lib9p allows an attacker with an existing valid user within the configured auth server to impersonate any other valid filesystem user. This is due to lib9p not properly verifying that the uname given in the Tauth and Tattach 9p messages matches the client UID returned from the factotum authentication handshake. The only filesystem making use of these functions within the base 9front systems is the experimental hjfs disk filesystem, other disk filesystems (cwfs and gefs) are not affected by this bug. This bug was inherited from Plan 9 and is present in all versions of 9front and is remedied fully in commit 9645ae07eb66a59015e3e118d0024790c37400da. | ||||
| CVE-2022-24400 | 1 Midnightblue | 1 Tetra\ | 2024-09-12 | 7.5 High |
| A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero. | ||||