Total
1315 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30507 | 2024-11-21 | N/A | 2.7 LOW | ||
|
Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7.
|
|||||
| CVE-2024-29181 | 1 Strapi | 1 Strapi | 2024-11-21 | N/A | 2.3 LOW |
|
Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.
|
|||||
| CVE-2024-24312 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
SQL injection vulnerability in Vaales Technologies V_QRS v.2024-01-17 allows a remote attacker to obtain sensitive information via the Models/UserModel.php component.
|
|||||
| CVE-2024-23112 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-11-21 | N/A | 8.0 HIGH |
|
An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 SSL-VPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation.
|
|||||
| CVE-2024-22455 | 1 Dell | 1 E-lab Navigator | 2024-11-21 | N/A | 4.4 MEDIUM |
|
Dell Mobility - E-Lab Navigator, version(s) 3.1.9, 3.2.0, contain(s) an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Launch of phishing attacks.
|
|||||
| CVE-2024-22439 | 2024-11-21 | N/A | 6.9 MEDIUM | ||
|
A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.
|
|||||
| CVE-2024-22305 | 1 Kaliforms | 1 Kali Forms | 2024-11-21 | N/A | 7.5 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.
|
|||||
| CVE-2024-22206 | 1 Clerk | 1 Javascript | 2024-11-21 | N/A | 9.0 CRITICAL |
|
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
|
|||||
| CVE-2024-21759 | 1 Fortinet | 1 Fortiportal | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests.
|
|||||
| CVE-2024-0580 | 1 Idmsistemas | 1 Sinergia | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc.
|
|||||
| CVE-2024-0366 | 1 Squirrly | 1 Starbox | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
|
|||||
| CVE-2024-0264 | 1 Oretnom23 | 1 Clinic Queuing System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /LoginRegistration.php. The manipulation of the argument formToken leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249820.
|
|||||
| CVE-2023-7031 | 1 Avaya | 1 Aura Experience Portal | 2024-11-21 | N/A | 5.7 MEDIUM |
|
Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support.
|
|||||
| CVE-2023-6983 | 1 Josevega | 1 Display Custom Fields In The Frontend - Post And User Profile Fields | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive post meta.
|
|||||
| CVE-2023-6929 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities.
|
|||||
| CVE-2023-6724 | 1 Simgesel | 1 Hearing Tracking System | 2024-11-21 | N/A | 8.8 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.
|
|||||
| CVE-2023-6630 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.
|
|||||
| CVE-2023-6523 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.
|
|||||
| CVE-2023-6515 | 1 Miateknoloji | 1 Mia-med | 2024-11-21 | N/A | 8.8 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7.
|
|||||
| CVE-2023-6341 | 1 Catalisgov | 1 Cms360 | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.
|
|||||
| CVE-2023-6226 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.
|
|||||
| CVE-2023-6144 | 1 Armanidrisi | 1 Dev Blog | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username.
|
|||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.
|
|||||
| CVE-2023-51503 | 1 Automattic | 1 Woopayments | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2.
|
|||||
| CVE-2023-51502 | 1 Automattic | 1 Woocommerce Stripe | 2024-11-21 | N/A | 7.5 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.
|
|||||
| CVE-2023-50267 | 1 Metersphere | 1 Metersphere | 2024-11-21 | N/A | 4.3 MEDIUM |
|
MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds.
|
|||||
| CVE-2023-4934 | 1 Usta | 1 Aybs | 2024-11-21 | N/A | 8.8 HIGH |
|
Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3.
|
|||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-11-21 | N/A | 8.3 HIGH |
|
An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.
|
|||||
| CVE-2023-4213 | 1 Mikevanwinkle | 1 Simplr Registration Form Plus\+ | 2024-11-21 | N/A | 8.8 HIGH |
|
The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.
|
|||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2024-11-21 | N/A | 8.8 HIGH |
|
The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.
|
|||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2024-11-21 | N/A | 7.6 HIGH |
|
The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.
|
|||||
| CVE-2023-49812 | 1 Wppa | 1 Wp Photo Album Plus | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
|
|||||
| CVE-2023-49765 | 1 Blazzdev | 1 Rate My Post | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in Blaz K. Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.1.
|
|||||
| CVE-2023-48783 | 1 Fortinet | 1 Fortiportal | 2024-11-21 | N/A | 5.4 MEDIUM |
|
An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.
|
|||||
| CVE-2023-48641 | 1 Archerirm | 1 Archer | 2024-11-21 | N/A | 7.5 HIGH |
|
Archer Platform 6.x before 6.14 P1 HF2 (6.14.0.1.2) contains an insecure direct object reference vulnerability. An authenticated malicious user in a multi-instance installation could potentially exploit this vulnerability by manipulating application resource references in user requests to bypass authorization checks, in order to gain execute access to AWF application resources.
|
|||||
| CVE-2023-48304 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 2 ...
Show More |
|||||
| CVE-2023-47316 | 1 H-mdm | 1 Headwind Mdm | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls.
|
|||||
| CVE-2023-47191 | 1 Kainelabs | 1 Youzify | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a through 1.2.2.
|
|||||
| CVE-2023-46701 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID
|
|||||
| CVE-2023-46478 | 1 Minical | 1 Minical | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.
|
|||||