Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3992 | 1 Kimai2 Project | 1 Kimai2 | 2022-08-05 | 6.5 Medium |
| kimai2 is vulnerable to Improper Access Control | ||||
| CVE-2022-1600 | 1 Yop-poll | 1 Yop Poll | 2022-08-04 | 5.3 Medium |
| The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations. | ||||
| CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | 6.5 Medium |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | ||||
| CVE-2022-34150 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | 5.4 Medium |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. | ||||
| CVE-2022-1881 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 5.3 Medium |
| In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space. | ||||
| CVE-2022-2193 | 1 Hypr | 1 Hypr Server | 2022-07-27 | 8.8 High |
| Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1. | ||||
| CVE-2021-24655 | 1 Wpusermanager | 1 Wp User Manager | 2022-07-18 | 7.5 High |
| The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account. | ||||
| CVE-2022-30852 | 1 Withknown | 1 Known | 2022-07-15 | 4.3 Medium |
| Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR). | ||||
| CVE-2022-23173 | 1 Priority-software | 1 Priority | 2022-07-14 | 6.3 Medium |
| this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed. | ||||
| CVE-2022-31883 | 1 Marvalglobal | 1 Marval Msm | 2022-07-14 | 8.8 High |
| Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference (IDOR) vulnerability. A low privilege user is able to see other users API Keys including the Admins API Keys. | ||||
| CVE-2021-46249 | 1 Scratchoauth2 Project | 1 Scratchoauth2 | 2022-07-12 | 6.5 Medium |
| An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps. | ||||
| CVE-2021-39916 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | ||||
| CVE-2021-37331 | 1 Bookingcore | 1 Booking Core | 2022-07-12 | 5.3 Medium |
| Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL. | ||||
| CVE-2021-39934 | 1 Gitlab | 1 Gitlab | 2022-07-12 | 4.3 Medium |
| Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | ||||
| CVE-2020-36126 | 1 Paxtechnology | 1 Paxstore | 2022-07-12 | 8.1 High |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment terminals, where an attacker can impersonate any user which may lead to the unauthorized disclosure, modification, or destruction of information. | ||||
| CVE-2021-41847 | 1 3xlogic | 1 Infinias Access Control | 2022-07-12 | 8.8 High |
| An issue was discovered in 3xLogic Infinias Access Control through 6.7.10708.0, affecting physical security. Users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests, allowing them to view user data such as personal information and Prox card credentials. Also, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to. They can also create new user logins for zones they were not authorized to access, including the root zone of the software. | ||||
| CVE-2021-38362 | 1 Rsa | 1 Archer | 2022-07-12 | 6.5 Medium |
| In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. | ||||
| CVE-2021-41608 | 1 Classapps | 1 Selectsurvey.net | 2022-07-12 | 7.5 High |
| A file disclosure vulnerability in the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve survey user submitted data by modifying the value of the ID parameter in sequential order beginning from 1. | ||||
| CVE-2020-26679 | 1 Vfairs | 1 Vfairs | 2022-07-12 | 4.3 Medium |
| vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room. | ||||
| CVE-2021-44836 | 1 Deltarm | 1 Delta Rm | 2022-07-12 | 4.3 Medium |
| An issue was discovered in Delta RM 1.2. The /risque/risque/workflow/reset endpoint is lacking access controls, and it is possible for an unprivileged user to reopen a risk with a POST request, using the risqueID parameter to identify the risk to be re-opened. | ||||