Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2844 | 1 Fit2cloud | 1 Cloudexplorer Lite | 2025-02-12 | 4.9 Medium |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. | ||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2025-02-12 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. | ||||
| CVE-2023-6897 | 1 Wpfactory | 1 Ean For Woocommerce | 2025-02-11 | 4.3 Medium |
| The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the 'alg_wc_ean_product_meta' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata. | ||||
| CVE-2024-43322 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-02-11 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. | ||||
| CVE-2023-1417 | 1 Gitlab | 1 Gitlab | 2025-02-11 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. | ||||
| CVE-2024-6410 | 1 Metagauss | 1 Profilegrid | 2025-02-10 | 4.3 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user. | ||||
| CVE-2024-32683 | 1 Wpmet | 1 Wp Ultimate Review | 2025-02-09 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.This issue affects Wp Ultimate Review: from n/a through 2.2.5. | ||||
| CVE-2023-6969 | 1 Kylebjohnson | 1 User Shortcodes Plus | 2025-02-07 | 5.3 Medium |
| The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta. | ||||
| CVE-2023-6317 | 1 Lg | 5 Lg43um7000pla, Oled48c1pub, Oled55a23la and 2 more | 2025-02-07 | 7.2 High |
| A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN. Full versions and TV models affected: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA | ||||
| CVE-2022-45175 | 1 Liveboxcloud | 1 Vdesk | 2025-02-07 | 6.5 Medium |
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. | ||||
| CVE-2018-17449 | 1 Gitlab | 1 Gitlab | 2025-02-07 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Remote attackers could obtain sensitive information about issues, comments, and project titles via events API insecure direct object reference. | ||||
| CVE-2024-13841 | 2025-02-07 | 4.3 Medium | ||
| The Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the 'bse-elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to. | ||||
| CVE-2024-13457 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | 5.3 Medium |
| The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date. | ||||
| CVE-2024-39033 | 2025-02-06 | 7.5 High | ||
| In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen. | ||||
| CVE-2018-17455 | 1 Gitlab | 1 Gitlab | 2025-02-06 | 7.5 High |
| An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals" feature. | ||||
| CVE-2023-45808 | 1 Combodo | 1 Itop | 2025-02-06 | 4.1 Medium |
| iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0. | ||||
| CVE-2022-48313 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-06 | 6.5 Medium |
| The Bluetooth module has a vulnerability of bypassing the user confirmation in the pairing process. Successful exploitation of this vulnerability may affect confidentiality. | ||||
| CVE-2024-43288 | 1 Gvectors | 1 Wpforo Forum | 2025-02-06 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. | ||||
| CVE-2024-33542 | 2025-02-05 | 4.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5. | ||||
| CVE-2024-12132 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-05 | 4.3 Medium |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker. | ||||