Total
319 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20599 | 1 Mitsubishielectric | 16 R08psfcpu, R08psfcpu Firmware, R08sfcpu and 13 more | 2022-10-14 | 5.0 MEDIUM | 7.5 HIGH |
| Cleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU all versions allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password. | |||||
| CVE-2022-2828 | 1 Octopus | 1 Octopus Server | 2022-10-14 | N/A | 6.5 MEDIUM |
| In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | |||||
| CVE-2021-21255 | 1 Glpi-project | 1 Glpi | 2022-10-14 | 3.5 LOW | 5.7 MEDIUM |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4. | |||||
| CVE-2022-29008 | 1 Bus Pass Management System Project | 1 Bus Pass Management System | 2022-10-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information. | |||||
| CVE-2021-36865 | 1 Quizandsurveymaster | 1 Quiz And Survey Master | 2022-10-04 | N/A | 4.3 MEDIUM |
| Insecure direct object references (IDOR) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 at WordPress allows attackers to change the content of the quiz. | |||||
| CVE-2022-1613 | 1 10up | 1 Restricted Site Access | 2022-09-28 | N/A | 5.3 MEDIUM |
| The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | |||||
| CVE-2022-1580 | 1 Freehtmldesigns | 1 Site Offline | 2022-09-21 | N/A | 4.3 MEDIUM |
| The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. | |||||
| CVE-2022-2913 | 1 Login No Captcha Recaptcha Project | 1 Login No Captcha Recaptcha | 2022-09-20 | N/A | 4.3 MEDIUM |
| The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. | |||||
| CVE-2022-38789 | 1 Airties | 6 Air 4920, Air 4920 Firmware, Air 4921 and 3 more | 2022-09-20 | N/A | 9.1 CRITICAL |
| An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference. | |||||
| CVE-2022-2877 | 1 Cm-wp | 1 Titan Anti-spam \& Security | 2022-09-20 | N/A | 5.3 MEDIUM |
| The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. | |||||
| CVE-2022-36539 | 1 Eigen\&wijzer Ouderapp Project | 1 Eigen\&wijzer Ouderapp | 2022-09-12 | N/A | 7.5 HIGH |
| WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children. | |||||
| CVE-2022-26665 | 1 Tylertech | 1 Odyssey Portal | 2022-09-02 | 5.0 MEDIUM | 7.5 HIGH |
| An Insecure Direct Object Reference issue exists in the Tyler Odyssey Portal platform before 17.1.20. This may allow an external party to access sensitive case records. | |||||
| CVE-2022-3019 | 1 Tooljet | 1 Tooljet | 2022-09-01 | N/A | 8.8 HIGH |
| The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one). | |||||
| CVE-2022-34769 | 1 Rashim | 1 Michlol | 2022-09-01 | N/A | 5.5 MEDIUM |
| PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular Router (with GPS)4 Unauthenticated OS Command Injection Proscend M330-w / M33-W5 / M350-5G / M350-W5G / M350-6 / M350-W6 / M301-G / M301-GW ADVICE ICR 111WG / https://www.proscend.com/en/category/industrial-Cellular-Router/industrial-Cellular-Router.html https://cdn.shopify.com/s/files/1/0036/9413/3297/files/ADVICE_Industrial_4G_LTE_Cellular_Router_ICR111WG.pdf?v=1620814301 | |||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2022-08-31 | N/A | 4.3 MEDIUM |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | |||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2022-08-24 | N/A | 5.4 MEDIUM |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | |||||
| CVE-2022-2198 | 1 2code | 1 Wpqa Builder | 2022-08-24 | N/A | 4.3 MEDIUM |
| The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced. | |||||
| CVE-2022-34621 | 1 Mealie | 1 Mealie | 2022-08-23 | N/A | 6.5 MEDIUM |
| Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter. | |||||
| CVE-2021-21012 | 1 Adobe | 2 Magento Commerce, Magento Open Source | 2022-08-19 | 4.3 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2021-21022 | 1 Magento | 1 Magento | 2022-08-19 | 4.3 MEDIUM | 5.3 MEDIUM |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources. | |||||