Total
755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38048 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38047 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38052 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2023-38049 | 1 Easyappointments | 1 Easyappointments | 2024-08-26 | N/A | 8.1 HIGH |
| A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | |||||
| CVE-2024-6357 | 1 Opentext | 1 Arcsight Intelligence | 2024-08-19 | N/A | 8.8 HIGH |
| Insecure Direct Object Reference vulnerability identified in OpenText ArcSight Intelligence. | |||||
| CVE-2024-43350 | 2024-08-19 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4. | |||||
| CVE-2024-43315 | 2024-08-19 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. | |||||
| CVE-2024-38701 | 1 Kodezen | 1 Academy Lms | 2024-08-14 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4. | |||||
| CVE-2024-39642 | 2024-08-13 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2. | |||||
| CVE-2024-37889 | 1 Treyww | 1 Myfinances | 2024-08-08 | N/A | 6.5 MEDIUM |
| MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6. | |||||
| CVE-2018-20405 | 1 Bigtreecms | 1 Bigtree | 2024-08-05 | 4.0 MEDIUM | 2.7 LOW |
| BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: "The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -- you already have full control of the CMS including running arbitrary PHP. | |||||
| CVE-2020-9384 | 1 Subex | 1 Roc Partner Settlement | 2024-08-04 | 6.5 MEDIUM | 8.8 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the application | |||||
| CVE-2022-32277 | 1 Squiz | 1 Matrix | 2024-08-03 | N/A | 5.3 MEDIUM |
| Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific finding, not a finding about the Squiz Matrix CMS product. | |||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-08-02 | N/A | 5.5 MEDIUM |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | |||||
| CVE-2024-31095 | 2024-08-01 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0. | |||||
| CVE-2024-31898 | 1 Ibm | 1 Infosphere Information Server | 2024-07-31 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references. IBM X-Force ID: 288182. | |||||
| CVE-2024-5977 | 1 Givewp | 1 Givewp | 2024-07-19 | N/A | 5.4 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.13.0 via the 'handleRequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to delete and update arbitrary posts. | |||||
| CVE-2024-5619 | 2024-07-19 | N/A | 9.6 CRITICAL | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apinizer Management Console: before 2024.05.1. | |||||
| CVE-2024-5942 | 1 Carlosfazenda | 1 Page And Post Clone | 2024-07-09 | N/A | 5.4 MEDIUM |
| The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to clone and read private posts. | |||||
| CVE-2023-28334 | 1 Moodle | 1 Moodle | 2024-07-08 | N/A | 4.3 MEDIUM |
| Authenticated users were able to enumerate other users' names via the learning plans page. | |||||