Total
508 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-5966 | 1 Joruri | 1 Joruri Mail | 2020-08-24 | N/A |
| Joruri Mail 2.1.4 and earlier does not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and alter/disclose the information via unspecified vectors. | ||||
| CVE-2018-16606 | 1 Proconf | 1 Proconf | 2020-08-24 | N/A |
| In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). | ||||
| CVE-2018-15833 | 1 Vanillaforums | 1 Vanilla Forums | 2020-08-24 | N/A |
| In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items). | ||||
| CVE-2019-9756 | 1 Gitlab | 1 Gitlab | 2020-08-24 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732. | ||||
| CVE-2019-9219 | 1 Gitlab | 1 Gitlab | 2020-08-24 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | ||||
| CVE-2019-9170 | 1 Gitlab | 1 Gitlab | 2020-08-24 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control. | ||||
| CVE-2019-8235 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 Medium |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.3 prior to 2.3.1, 2.2 prior to 2.2.8, and 2.1 prior to 2.1.17 versions. An authenticated user may be able to view personally identifiable shipping details of another user due to insufficient validation of user controlled input. | ||||
| CVE-2019-7950 | 1 Magento | 1 Magento | 2020-08-24 | N/A |
| An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information. | ||||
| CVE-2019-7925 | 1 Magento | 1 Magento | 2020-08-24 | N/A |
| An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder. | ||||
| CVE-2019-19616 | 1 Xtivia | 1 Web Time And Expense | 2020-08-24 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function. | ||||
| CVE-2019-17605 | 1 Eyecomms | 1 Eyecms | 2020-08-24 | 8.8 High |
| A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via a modified candidate id and an additional password parameter. The outcome is that the password of this other candidate is changed. | ||||
| CVE-2019-17604 | 1 Eyecomms | 1 Eyecms | 2020-08-24 | 4.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in eyecomms eyeCMS through 2019-10-15 allows any candidate to change other candidates' personal information (first name, last name, email, CV, phone number, and all other personal information) by changing the value of the candidate id (the id parameter). | ||||
| CVE-2019-16403 | 1 Webkul | 1 Bagisto | 2020-08-24 | 8.8 High |
| In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers. | ||||
| CVE-2019-15815 | 1 Zyxel | 2 2.00\(abbx.3\), P-1302-t10d | 2020-08-24 | 6.5 Medium |
| ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges. | ||||
| CVE-2019-15725 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 7.5 High |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information. | ||||
| CVE-2019-13461 | 1 Prestashop | 1 Prestashop | 2020-08-24 | N/A |
| In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. | ||||
| CVE-2019-13337 | 1 Weseek | 1 Growi | 2020-08-24 | N/A |
| In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | ||||
| CVE-2019-12866 | 1 Jetbrains | 1 Youtrack | 2020-08-24 | N/A |
| An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168. | ||||
| CVE-2019-12782 | 1 Thoughtspot | 1 Thoughtspot | 2020-08-24 | N/A |
| An authorization bypass vulnerability in pinboard updates in ThoughtSpot 4.4.1 through 5.1.1 (before 5.1.2) allows a low-privilege user with write access to at least one pinboard to corrupt pinboards of another user in the application by spoofing GUIDs in pinboard update requests, effectively deleting them. | ||||
| CVE-2019-12742 | 1 Bludit | 1 Bludit | 2020-08-24 | N/A |
| Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter). | ||||