Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
insecure direct object reference vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2020-15958
An issue exists in 1CRM System up to and including 8.6.7. An insecure direct object reference to internally stored files allows a remote malicious user to access various sensitive information via an unauthenticated request with a predictable URL.
1crm 1crm
5
CVSSv2
CVE-2021-46378
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through an unauthenticated remote configuration download.
Dlink Dir-850l Firmware 1.08trb03
NA
CVE-2022-40319
The LISTSERV 17 web interface allows remote malicious users to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.
Lsoft Listserv 17.0
4
CVSSv2
CVE-2021-40352
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
Open-emr Openemr 6.0.0
4 Github repositories
4
CVSSv2
CVE-2014-8487
Kony Management (aka Enterprise Mobile Management or EMM) 1.2 and previous versions allows remote authenticated users to read (1) arbitrary messages via the messageId parameter to selfservice/managedevice/getMessageBody or (2) requests via the requestId parameter to selfservice/d...
Kony Enterprise Mobile Management
NA
CVE-2023-3105
The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it...
Learndash Learndash
5.5
CVSSv2
CVE-2021-46416
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.
Sma Sunny Tripower Firmware 3.10.16.r
4
CVSSv2
CVE-2021-34369
portlets/contact/ref/refContactDetail.do in Accela Civic Platform up to and including 20.1 allows remote malicious users to obtain sensitive information via a modified contactSeqNumber value. NOTE: the vendor states "the information that is being queried is authorized for an...
Accela Civic Platform
5
CVSSv2
CVE-2020-28861
OpenAsset Digital Asset Management (DAM) 12.0.19 and previous versions failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated malicious users to gain access to potentially sensitive project information stored by the application.
Openasset Digital Asset Management
NA
CVE-2023-2796
The EventON WordPress plugin prior to 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
Myeventon Eventon
1 Github repository
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »