Total
505 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
| CVE-2020-23449 | 1 Newbee-mall Project | 1 Newbee-mall | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| newbee-mall all versions are affected by incorrect access control to remotely gain privileges through NewBeeMallIndexConfigServiceImpl.java. Unauthorized changes can be made to any user information through the userID. | |||||
| CVE-2020-26175 | 1 Tangro | 1 Business Workflow | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users. | |||||
| CVE-2019-18626 | 1 Harriscomputer | 1 Ormed Mis | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social security numbers, home addresses, and more. | |||||
| CVE-2020-9468 | 1 Piwigo | 1 Piwigo | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | |||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | |||||
| CVE-2020-23446 | 1 Verint | 1 Workforce Optimization | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API | |||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2021-07-21 | 2.7 LOW | 5.7 MEDIUM |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | |||||
| CVE-2020-11585 | 1 Dnnsoftware | 1 Dotnetnuke | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter. | |||||
| CVE-2020-11589 | 1 Cipplanner | 1 Cipace | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only. | |||||
| CVE-2020-20183 | 1 Zyxel | 2 P1302-t10 V3, P1302-t10 V3 Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages. | |||||
| CVE-2020-8791 | 1 Oklok Project | 1 Oklok | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs. | |||||
| CVE-2020-27662 | 1 Glpi-project | 1 Glpi | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.). | |||||
| CVE-2020-4918 | 1 Ibm | 1 Cloud Pak System | 2021-07-21 | 2.1 LOW | 4.4 MEDIUM |
| IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM X-Force ID: 191392. | |||||
| CVE-2020-27663 | 1 Glpi-project | 1 Glpi | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.). | |||||
| CVE-2020-29446 | 1 Atlassian | 2 Crucible, Fisheye | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. | |||||
| CVE-2019-14932 | 1 Humanica | 1 Humatrix 7 | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Recruitment module in Humanica Humatrix 7 1.0.0.681 and 1.0.0.203 allows remote attackers to access all candidates' information on the website via a modified selApp variable to personalData/resumeDetail.cfm. This includes personal information and other sensitive data. | |||||
| CVE-2020-35849 | 1 Mantisbt | 1 Mantisbt | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnote_id parameter. | |||||
| CVE-2020-26173 | 1 Tangro | 1 Business Workflow | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required. | |||||
| CVE-2019-19946 | 1 Dradisframework | 1 Dradis | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. | |||||