Total
952 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7041 | 1 Openwebui | 1 Open Webui | 2025-07-29 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint `http://0.0.0.0:3000/api/v1/memories/{id}/update`, where the decentralization design is flawed, allowing attackers to edit other users' memories without proper authorization. | |||||
| CVE-2025-52448 | 2025-07-29 | N/A | 8.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-52446 | 2025-07-29 | N/A | 8.0 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows Interface Manipulation (data access to the production database cluster).This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-52447 | 2025-07-29 | N/A | 8.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc command modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-51865 | 2025-07-25 | N/A | 8.8 HIGH | ||
| Ai2 playground web service (playground.allenai.org) LLM chat through 2025-06-03 is vulnerable to Insecure Direct Object Reference (IDOR), allowing attackers to gain sensitvie information via enumerating thread keys in the URL. | |||||
| CVE-2025-34140 | 2025-07-25 | N/A | N/A | ||
| An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2. | |||||
| CVE-2025-51479 | 2025-07-25 | N/A | 5.4 MEDIUM | ||
| Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks. | |||||
| CVE-2025-51867 | 2025-07-25 | N/A | 6.5 MEDIUM | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by the /browse/stories endpoint. | |||||
| CVE-2024-45329 | 1 Fortinet | 1 Fortiportal | 2025-07-22 | N/A | 4.3 MEDIUM |
| A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information via key modification in API requests. | |||||
| CVE-2024-5166 | 1 Google | 1 Looker | 2025-07-22 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model. | |||||
| CVE-2025-20114 | 1 Cisco | 2 Unified Contact Center Express, Unified Intelligence Center | 2025-07-22 | N/A | 4.3 MEDIUM |
| A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system. | |||||
| CVE-2025-51869 | 2025-07-22 | N/A | 7.5 HIGH | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted space_id, thread_id, and message_id parameters to the v1/space/{space_id}/thread/{thread_id}/message/{message_id} endpoint. | |||||
| CVE-2025-51868 | 2025-07-22 | N/A | 7.5 HIGH | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Dippy (chat.dippy.ai) v2 allows attackers to gain sensitive information via the conversation_id parameter to the conversation_history endpoint. | |||||
| CVE-2024-13175 | 2025-07-22 | N/A | 5.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Vidco Software VOC TESTER allows Forceful Browsing.This issue affects VOC TESTER: before 12.41.0. | |||||
| CVE-2025-5681 | 2025-07-22 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 23.06.2025. | |||||
| CVE-2025-2301 | 2025-07-22 | N/A | 4.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.This issue affects Online Exam Registration: before 14.03.2025. | |||||
| CVE-2025-4129 | 2025-07-22 | N/A | 7.5 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025. | |||||
| CVE-2025-4040 | 2025-07-22 | N/A | 7.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.This issue affects Automatic Station Monitoring System: before 5.0.6.51. | |||||
| CVE-2025-1469 | 2025-07-22 | N/A | 7.5 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 11.03.2025. | |||||
| CVE-2025-7899 | 2025-07-22 | N/A | N/A | ||
| The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 | |||||