Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
insecure direct object reference vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-38965
Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.
Oretnom23 Lost And Found Information System 1.0
6.5
CVSSv3
CVE-2018-7690
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
Microfocus Fortify Software Security Center 17.10
Microfocus Fortify Software Security Center 17.20
Microfocus Fortify Software Security Center 18.10
1 Github repository
6.8
CVSSv3
CVE-2019-16017
A vulnerability in the Operations, Administration, Maintenance and Provisioning (OAMP) OpsConsole Server for Cisco Unified Customer Voice Portal (CVP) could allow an authenticated, remote malicious user to execute Insecure Direct Object Reference actions on specific pages within ...
Cisco Unified Customer Voice Portal
7.5
CVSSv3
CVE-2020-35737
In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.
Newgensoft Egov 12.0
6.5
CVSSv3
CVE-2023-5808
SMU versions before 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific a...
Hitachi Vantara Hitachi Network Attached Storage
2 Github repositories
7.5
CVSSv3
CVE-2021-36389
In Yellowfin prior to 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".
Yellowfinbi Yellowfin
1 Github repository
5.4
CVSSv3
CVE-2021-36387
In Yellowfin prior to 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
Yellowfinbi Yellowfin
1 Github repository
7.5
CVSSv3
CVE-2021-36388
In Yellowfin prior to 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
Yellowfinbi Yellowfin
1 Github repository
7.5
CVSSv3
CVE-2021-41382
Plastic SCM prior to 10.0.16.5622 mishandles the WebAdmin server management interface.
Plasticscm Plastic Scm
1 Github repository
6.1
CVSSv3
CVE-2015-8398
Cross-site scripting (XSS) vulnerability in Atlassian Confluence prior to 5.8.17 allows remote malicious users to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
Atlassian Confluence
1 EDB exploit
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
NEXT »