Filtered by CWE-639
Total 508 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-38765 1 Canon 1 Vitrea View 2022-12-12 6.5 Medium
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
CVE-2022-24187 1 Sz-fujia 1 Ourphoto 2022-12-01 7.5 High
The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users.
CVE-2022-3589 1 Miele 1 Appwash 2022-11-30 8.1 High
An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.
CVE-2022-43492 1 Gvectors 1 Wpdiscuz 2022-11-22 8.8 High
Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.
CVE-2022-44005 1 Backclick 1 Backclick 2022-11-21 5.3 Medium
An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent.
CVE-2022-42129 1 Liferay 2 Digital Experience Platform, Liferay Portal 2022-11-18 4.3 Medium
An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter.
CVE-2022-0731 1 Dolibarr 1 Dolibarr Erp\/crm 2022-11-17 6.5 Medium
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2021-24739 1 Shapedplugin 1 Logo Carousel 2022-11-09 8.1 High
The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature
CVE-2022-40205 1 Gvectors 1 Wpforo Forum 2022-11-09 4.3 Medium
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved.
CVE-2022-40206 1 Gvectors 1 Wpforo Forum 2022-11-09 4.3 Medium
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.
CVE-2021-36906 1 Expresstech 1 Quiz And Survey Master 2022-11-04 8.8 High
Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress.
CVE-2022-39945 1 Fortinet 1 Fortimail 2022-11-03 6.5 Medium
An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
CVE-2021-3813 1 Chatwoot 1 Chatwoot 2022-10-27 6.5 Medium
Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.
CVE-2021-32654 1 Nextcloud 1 Nextcloud Server 2022-10-26 9.1 Critical
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.
CVE-2021-22906 1 Nextcloud 1 End-to-end Encryption 2022-10-25 6.5 Medium
Nextcloud End-to-End Encryption before 1.5.3, 1.6.3 and 1.7.1 suffers from a denial of service vulnerability due to permitting any authenticated users to lock files of other users.
CVE-2021-24318 1 Purethemes 1 Listeo 2022-10-25 6.5 Medium
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
CVE-2021-36032 1 Adobe 2 Adobe Commerce, Magento Open Source 2022-10-24 8.8 High
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
CVE-2022-41479 1 Devexpress 1 Asp.net Web Forms Controls 2022-10-20 7.5 High
The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code.
CVE-2022-3282 1 Codedropz 1 Drag And Drop Multiple File Upload - Contact Form 7 2022-10-20 4.3 Medium
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
CVE-2022-3331 1 Gitlab 1 Gitlab 2022-10-20 4.3 Medium
An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Zentao project issues.