Total
834 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-37215 | 1 Larvata | 1 Flygo | 2024-11-21 | 4.3 Medium |
| The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter. | ||||
| CVE-2021-37214 | 1 Larvata | 1 Flygo | 2024-11-21 | 8.8 High |
| The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command. | ||||
| CVE-2021-37213 | 1 Larvata | 1 Flygo | 2024-11-21 | 4.3 Medium |
| The check-in record page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID and date in specific parameters to access particular employee’s check-in record. | ||||
| CVE-2021-37212 | 1 Larvata | 1 Flygo | 2024-11-21 | 5.4 Medium |
| The bulletin function of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the bulletin ID in specific Url parameters and access and modify bulletin particular content. | ||||
| CVE-2021-37184 | 1 Siemens | 1 Industrial Edge Management | 2024-11-21 | 9.8 Critical |
| A vulnerability has been identified in Industrial Edge Management (All versions < V1.3). An unauthenticated attacker could change the the password of any user in the system under certain circumstances. With this an attacker could impersonate any valid user on an affected system. | ||||
| CVE-2021-36801 | 1 Akaunting | 1 Akaunting | 2024-11-21 | 8.1 High |
| Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product. | ||||
| CVE-2021-36539 | 1 Instructure | 1 Canvas Learning Management Service | 2024-11-21 | 6.5 Medium |
| Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url). | ||||
| CVE-2021-36389 | 1 Yellowfinbi | 1 Yellowfin | 2024-11-21 | 7.5 High |
| In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". | ||||
| CVE-2021-36388 | 1 Yellowfinbi | 1 Yellowfin | 2024-11-21 | 7.5 High |
| In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". | ||||
| CVE-2021-36387 | 1 Yellowfinbi | 1 Yellowfin | 2024-11-21 | 5.4 Medium |
| In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | ||||
| CVE-2021-36329 | 1 Dell | 1 Emc Streaming Data Platform | 2024-11-21 | 6.5 Medium |
| Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information. | ||||
| CVE-2021-36032 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2024-11-21 | 8.3 High |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. | ||||
| CVE-2021-35337 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2024-11-21 | 4.3 Medium |
| Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR). Any attacker will be able to see the invoices of different users by changing the id parameter. | ||||
| CVE-2021-33981 | 1 Myfwc | 1 Fish \| Hunt Fl | 2024-11-21 | 4.3 Medium |
| An insecure, direct object vulnerability in hunting/fishing license retrieval function of the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier allows a remote authenticated attacker to retrieve other people's personal information and images of their hunting/fishing licenses. | ||||
| CVE-2021-32744 | 1 Collabora | 1 Online | 2024-11-21 | 9.8 Critical |
| Collabora Online is a collaborative online office suite. In versions prior to 4.2.17-1 and version 6.4.9-5, unauthenticated attackers are able to gain access to files which are currently opened by other users in the Collabora Online editor. For successful exploitation the attacker is required to guess the file identifier - the predictability of this file identifier is dependent on external file-storage implementations (this is a potential "IDOR" - Insecure Direct Object Reference - vulnerability). Versions 4.2.17-1 and 6.4.9-5 contain patches for this issue. There is no known workaround except updating the Collabora Online application to one of the patched releases. | ||||
| CVE-2021-32654 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 8.1 High |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing. | ||||
| CVE-2021-31970 | 1 Microsoft | 15 Windows 10, Windows 10 1507, Windows 10 1607 and 12 more | 2024-11-21 | 5.5 Medium |
| Windows TCP/IP Driver Security Feature Bypass Vulnerability | ||||
| CVE-2021-31927 | 1 Annexcloud | 1 Loyalty Experience Platform | 2024-11-21 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify any existing user, including users assigned to different environments and clients. It was fixed in v2021.1.0.2. | ||||
| CVE-2021-29773 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-11-21 | 5.4 Medium |
| IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 202865. | ||||
| CVE-2021-28156 | 1 Hashicorp | 1 Consul | 2024-11-21 | 7.5 High |
| HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | ||||