Total
319 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43492 | 1 Gvectors | 1 Wpdiscuz | 2022-11-22 | N/A | 8.8 HIGH |
| Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress. | |||||
| CVE-2022-44005 | 1 Backclick | 1 Backclick | 2022-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent. | |||||
| CVE-2022-42129 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2022-11-18 | N/A | 4.3 MEDIUM |
| An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter. | |||||
| CVE-2022-0731 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2022-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | |||||
| CVE-2021-24739 | 1 Shapedplugin | 1 Logo Carousel | 2022-11-09 | 5.5 MEDIUM | 8.1 HIGH |
| The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature | |||||
| CVE-2022-40206 | 1 Gvectors | 1 Wpforo Forum | 2022-11-09 | N/A | 4.3 MEDIUM |
| Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public. | |||||
| CVE-2022-40205 | 1 Gvectors | 1 Wpforo Forum | 2022-11-09 | N/A | 4.3 MEDIUM |
| Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved. | |||||
| CVE-2021-36906 | 1 Expresstech | 1 Quiz And Survey Master | 2022-11-04 | N/A | 8.8 HIGH |
| Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress. | |||||
| CVE-2022-39945 | 1 Fortinet | 1 Fortimail | 2022-11-03 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR). | |||||
| CVE-2021-3813 | 1 Chatwoot | 1 Chatwoot | 2022-10-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2. | |||||
| CVE-2021-32654 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing. | |||||
| CVE-2021-22906 | 1 Nextcloud | 1 End-to-end Encryption | 2022-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users. | |||||
| CVE-2021-24318 | 1 Purethemes | 1 Listeo | 2022-10-25 | 5.5 MEDIUM | 6.5 MEDIUM |
| The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector. | |||||
| CVE-2021-36032 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-10-24 | 6.5 MEDIUM | 8.8 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation. | |||||
| CVE-2022-36966 | 1 Solarwinds | 1 Orion Platform | 2022-10-21 | N/A | 5.4 MEDIUM |
| Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. | |||||
| CVE-2022-33077 | 1 Nopcommerce | 1 Nopcommerce | 2022-10-20 | N/A | 7.5 HIGH |
| An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint. | |||||
| CVE-2022-41479 | 1 Devexpress | 1 Asp.net Web Forms Controls | 2022-10-20 | N/A | 7.5 HIGH |
| The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. | |||||
| CVE-2022-3282 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2022-10-20 | N/A | 4.3 MEDIUM |
| The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. | |||||
| CVE-2022-3331 | 1 Gitlab | 1 Gitlab | 2022-10-20 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues. | |||||
| CVE-2022-42067 | 1 Online Birth Certificate Management System Project | 1 Online Birth Certificate Management System | 2022-10-17 | N/A | 4.3 MEDIUM |
| Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability | |||||