Total
505 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44160 | 1 Cth | 1 Carinal Tien Hospital Health Report System | 2022-08-09 | 7.5 HIGH | 7.3 HIGH |
| Carinal Tien Hospital Health Report System’s login page has improper authentication, a remote attacker can acquire another general user’s privilege by modifying the cookie parameter without authentication. The attacker can then perform limited operations on the system or modify data, making the service partially unavailable to the user. | |||||
| CVE-2021-21013 | 1 Adobe | 1 Magento | 2022-08-05 | 5.5 MEDIUM | 8.1 HIGH |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the customer API module. Successful exploitation could lead to sensitive information disclosure and update arbitrary information on another user's account. | |||||
| CVE-2021-3992 | 1 Kimai2 Project | 1 Kimai2 | 2022-08-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| kimai2 is vulnerable to Improper Access Control | |||||
| CVE-2022-1600 | 1 Yop-poll | 1 Yop Poll | 2022-08-04 | N/A | 5.3 MEDIUM |
| The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations. | |||||
| CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 6.5 MEDIUM |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | |||||
| CVE-2022-34150 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 5.4 MEDIUM |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. | |||||
| CVE-2022-1881 | 1 Octopus | 1 Octopus Server | 2022-07-27 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space. | |||||
| CVE-2022-2193 | 1 Hypr | 1 Hypr Server | 2022-07-27 | N/A | 8.8 HIGH |
| Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1. | |||||
| CVE-2021-24655 | 1 Wpusermanager | 1 Wp User Manager | 2022-07-18 | 6.0 MEDIUM | 7.5 HIGH |
| The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account. | |||||
| CVE-2022-30852 | 1 Withknown | 1 Known | 2022-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR). | |||||
| CVE-2022-23173 | 1 Priority-software | 1 Priority | 2022-07-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed. | |||||
| CVE-2022-31883 | 1 Marvalglobal | 1 Marval Msm | 2022-07-14 | 4.0 MEDIUM | 8.8 HIGH |
| Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference (IDOR) vulnerability. A low privilege user is able to see other users API Keys including the Admins API Keys. | |||||
| CVE-2021-37331 | 1 Bookingcore | 1 Booking Core | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL. | |||||
| CVE-2020-26679 | 1 Vfairs | 1 Vfairs | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room. | |||||
| CVE-2021-46249 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps. | |||||
| CVE-2021-39934 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | |||||
| CVE-2021-41847 | 1 3xlogic | 1 Infinias Access Control | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software. | |||||
| CVE-2021-38362 | 1 Rsa | 1 Archer | 2022-07-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. | |||||
| CVE-2021-41608 | 1 Classapps | 1 Selectsurvey.net | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1. | |||||
| CVE-2021-39916 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | |||||