Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-5194 | 1 Cerberusftp | 1 Ftp Server | 2021-07-21 | 5.4 Medium |
| The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. | ||||
| CVE-2020-4918 | 1 Ibm | 1 Cloud Pak System | 2021-07-21 | 4.4 Medium |
| IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM X-Force ID: 191392. | ||||
| CVE-2020-35849 | 1 Mantisbt | 1 Mantisbt | 2021-07-21 | 7.5 High |
| An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnote_id parameter. | ||||
| CVE-2020-29446 | 1 Atlassian | 2 Crucible, Fisheye | 2021-07-21 | 5.3 Medium |
| Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. | ||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2021-07-21 | 5.3 Medium |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | ||||
| CVE-2020-27663 | 1 Glpi-project | 1 Glpi | 2021-07-21 | 4.3 Medium |
| In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.). | ||||
| CVE-2020-27662 | 1 Glpi-project | 1 Glpi | 2021-07-21 | 4.3 Medium |
| In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.). | ||||
| CVE-2020-26175 | 1 Tangro | 1 Business Workflow | 2021-07-21 | 6.5 Medium |
| In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users. | ||||
| CVE-2020-26173 | 1 Tangro | 1 Business Workflow | 2021-07-21 | 4.3 Medium |
| An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required. | ||||
| CVE-2020-26171 | 1 Tangro | 1 Business Workflow | 2021-07-21 | 4.3 Medium |
| In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them. | ||||
| CVE-2020-23722 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-07-21 | 8.8 High |
| An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id" and "fuel_id" parameters. | ||||
| CVE-2020-23449 | 1 Newbee-mall Project | 1 Newbee-mall | 2021-07-21 | 7.5 High |
| newbee-mall all versions are affected by incorrect access control to remotely gain privileges through NewBeeMallIndexConfigServiceImpl.java. Unauthorized changes can be made to any user information through the userID. | ||||
| CVE-2020-23446 | 1 Verint | 1 Workforce Optimization | 2021-07-21 | 5.3 Medium |
| Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API | ||||
| CVE-2020-20183 | 1 Zyxel | 2 P1302-t10 V3, P1302-t10 V3 Firmware | 2021-07-21 | 7.5 High |
| Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages. | ||||
| CVE-2020-19890 | 1 Dbhcms Project | 1 Dbhcms | 2021-07-21 | 4.9 Medium |
| DBHcms v1.2.0 has an Arbitrary file read vulnerability in dbhcms\mod\mod.editor.php $_GET['file'] is filename,and as there is no filter function for security, you can read any file's content. | ||||
| CVE-2020-16194 | 1 Store-opart | 1 Quote | 2021-07-21 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. | ||||
| CVE-2020-15958 | 1 1crm | 1 1crm | 2021-07-21 | 8.6 High |
| An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL. | ||||
| CVE-2020-13700 | 1 Acf To Rest Api Project | 1 Acf To Rest Api | 2021-07-21 | 7.5 High |
| An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. | ||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2021-07-21 | 5.7 Medium |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | ||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2021-07-21 | 4.3 Medium |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | ||||