Total
755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17455 | 1 Gitlab | 1 Gitlab | 2025-02-06 | N/A | 7.5 HIGH |
| An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. | |||||
| CVE-2023-45808 | 1 Combodo | 1 Itop | 2025-02-06 | N/A | 5.4 MEDIUM |
| iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0. | |||||
| CVE-2024-43288 | 1 Gvectors | 1 Wpforo Forum | 2025-02-06 | N/A | 8.1 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. | |||||
| CVE-2024-12132 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 4.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker. | |||||
| CVE-2024-12131 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 4.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs. | |||||
| CVE-2024-13372 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 5.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the getresumefiledownloadbyid() and getallresumefiles() functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download users resumes without the appropriate authorization to do so. | |||||
| CVE-2024-13425 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 4.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the enforcedelete() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Employer-level access and above, to delete other users companies. | |||||
| CVE-2024-13428 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 5.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary company logos. | |||||
| CVE-2024-13429 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 4.3 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary | |||||
| CVE-2024-43266 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in WP Job Portal.This issue affects WP Job Portal: from n/a through 2.1.6. | |||||
| CVE-2024-10696 | 1 Codeastrology | 1 Ultraaddons | 2025-02-05 | N/A | 4.3 MEDIUM |
| The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts. | |||||
| CVE-2024-13694 | 1 Moreconvert | 1 Woocommerce Wishlist | 2025-02-04 | N/A | 7.5 HIGH |
| The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to. | |||||
| CVE-2024-49388 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2025-02-04 | N/A | 9.1 CRITICAL |
| Sensitive information manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690. | |||||
| CVE-2024-12046 | 2025-02-04 | N/A | 4.3 MEDIUM | ||
| The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts. | |||||
| CVE-2024-13607 | 2025-02-04 | N/A | 4.3 MEDIUM | ||
| The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user. | |||||
| CVE-2025-22695 | 2025-02-03 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in NirWp Team Nirweb support. This issue affects Nirweb support: from n/a through 3.0.3. | |||||
| CVE-2024-4154 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 6.5 MEDIUM |
| In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources. | |||||
| CVE-2024-1626 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 8.1 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects. | |||||
| CVE-2024-4151 | 1 Lunary | 1 Lunary | 2025-01-31 | N/A | 8.1 HIGH |
| An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues. | |||||
| CVE-2024-1625 | 1 Lunary | 1 Lunary | 2025-01-30 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route. | |||||