Total
811 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9468 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | |||||
| CVE-2020-9384 | 1 Subex | 1 Roc Partner Settlement | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the application | |||||
| CVE-2020-8791 | 1 Oklok Project | 1 Oklok | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs. | |||||
| CVE-2020-8503 | 1 Biscom | 1 Secure File Transfer | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference (IDOR) by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004. | |||||
| CVE-2020-8297 | 1 Nextcloud | 1 Deck | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. | |||||
| CVE-2020-8235 | 1 Nextcloud | 1 Deck | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments. | |||||
| CVE-2020-8154 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | |||||
| CVE-2020-7918 | 1 Totemo | 1 Totemomail | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| An insecure direct object reference in webmail in totemo totemomail 7.0.0 allows an authenticated remote user to read and modify mail folder names of other users via enumeration. | |||||
| CVE-2020-6859 | 1 Ultimatemember | 1 Ultimate Member | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image. | |||||
| CVE-2020-6641 | 1 Fortinet | 1 Fortipresence | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters. | |||||
| CVE-2020-5743 | 1 Tecnick | 1 Tcexam | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission. | |||||
| CVE-2020-5539 | 1 Grandit | 1 Grandit | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do not properly manage sessions, which allows remote attackers to impersonate an arbitrary user and then alter or disclose the information via unspecified vectors. | |||||
| CVE-2020-5194 | 1 Cerberusftp | 1 Ftp Server | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. Improper permission verification occurs when calling the file/ajax_download_zip/zip_name endpoint. The result is that a user without permissions can zip and download files even if they do not have permission to view whether the file exists. | |||||
| CVE-2020-4918 | 1 Ibm | 1 Cloud Pak System | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM X-Force ID: 191392. | |||||
| CVE-2020-36231 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2. | |||||
| CVE-2020-36126 | 1 Paxtechnology | 1 Paxstore | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment terminals, where an attacker can impersonate any user which may lead to the unauthorized disclosure, modification, or destruction of information. | |||||
| CVE-2020-35849 | 1 Mantisbt | 1 Mantisbt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnote_id parameter. | |||||
| CVE-2020-29446 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5. | |||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
| CVE-2020-27742 | 1 Citadel | 1 Webcit | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread. | |||||