Total
934 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-0580 | 1 Idmsistemas | 1 Sinergia | 2025-06-02 | 6.5 Medium |
| Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc. | ||||
| CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2025-05-30 | N/A |
| An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | ||||
| CVE-2023-7199 | 1 Relevanssi | 1 Relevanssi | 2025-05-29 | 5.3 Medium |
| The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request | ||||
| CVE-2025-40650 | 2025-05-28 | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards. | ||||
| CVE-2025-25777 | 1 Codeastro | 1 Bus Ticket Booking System | 2025-05-28 | 8 High |
| Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another user's profile without proper authentication or authorization checks. | ||||
| CVE-2022-40186 | 2 Hashicorp, Redhat | 2 Vault, Openshift Data Foundation | 2025-05-27 | 9.1 Critical |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | ||||
| CVE-2024-43239 | 1 Masteriyo | 1 Masteriyo | 2025-05-27 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4. | ||||
| CVE-2024-22305 | 1 Kaliforms | 1 Kali Forms | 2025-05-23 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36. | ||||
| CVE-2022-1613 | 1 10up | 1 Restricted Site Access | 2025-05-21 | 5.3 Medium |
| The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | ||||
| CVE-2024-6534 | 1 Monospace | 1 Directus | 2025-05-19 | 4.3 Medium |
| Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover. | ||||
| CVE-2023-28656 | 2 F5, Netapp | 5 Nginx Api Connectivity Manager, Nginx Instance Manager, Nginx Security Monitoring and 2 more | 2025-05-19 | 8.1 High |
| NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2025-4119 | 1 Weitong | 1 Mall | 2025-05-16 | 5.3 Medium |
| A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3769 | 2025-05-16 | 5.3 Medium | ||
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses. | ||||
| CVE-2024-8988 | 2025-05-16 | 5.3 Medium | ||
| The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information. | ||||
| CVE-2024-42169 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | 7.1 High |
| HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data. | ||||
| CVE-2023-6724 | 1 Simgesel | 1 Hearing Tracking System | 2025-05-15 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0. | ||||
| CVE-2022-41479 | 1 Devexpress | 1 Asp.net Web Forms Controls | 2025-05-15 | 7.5 High |
| The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach). | ||||
| CVE-2022-2828 | 1 Octopus | 1 Octopus Server | 2025-05-15 | 6.5 Medium |
| In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | ||||
| CVE-2025-1607 | 1 Mayurik | 1 Best Employee Management System | 2025-05-14 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Best Employee Management System 1.0. This issue affects some unknown processing of the file /admin/salary_slip.php. The manipulation of the argument id leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-3331 | 1 Gitlab | 1 Gitlab | 2025-05-14 | 3.5 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues. | ||||