Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
insecure direct object reference vulnerabilities and exploits
(subscribe to this query)
8.6
CVSSv3
CVE-2020-15958
An issue exists in 1CRM System up to and including 8.6.7. An insecure direct object reference to internally stored files allows a remote malicious user to access various sensitive information via an unauthenticated request with a predictable URL.
1crm 1crm
7.5
CVSSv3
CVE-2021-46378
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through an unauthenticated remote configuration download.
Dlink Dir-850l Firmware 1.08trb03
7.5
CVSSv3
CVE-2022-40319
The LISTSERV 17 web interface allows remote malicious users to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.
Lsoft Listserv 17.0
6.5
CVSSv3
CVE-2021-40352
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.
Open-emr Openemr 6.0.0
4 Github repositories
NA
CVE-2014-8487
Kony Management (aka Enterprise Mobile Management or EMM) 1.2 and previous versions allows remote authenticated users to read (1) arbitrary messages via the messageId parameter to selfservice/managedevice/getMessageBody or (2) requests via the requestId parameter to selfservice/d...
Kony Enterprise Mobile Management
8.8
CVSSv3
CVE-2023-3105
The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it...
Learndash Learndash
8.1
CVSSv3
CVE-2021-46416
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.
Sma Sunny Tripower Firmware 3.10.16.r
6.5
CVSSv3
CVE-2021-34369
portlets/contact/ref/refContactDetail.do in Accela Civic Platform up to and including 20.1 allows remote malicious users to obtain sensitive information via a modified contactSeqNumber value. NOTE: the vendor states "the information that is being queried is authorized for an...
Accela Civic Platform
5.3
CVSSv3
CVE-2020-28861
OpenAsset Digital Asset Management (DAM) 12.0.19 and previous versions failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated malicious users to gain access to potentially sensitive project information stored by the application.
Openasset Digital Asset Management
5.3
CVSSv3
CVE-2023-2796
The EventON WordPress plugin prior to 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
Myeventon Eventon
1 Github repository
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »