Total
952 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4750 | 1 Buddyboss | 1 Buddyboss | 2025-06-30 | N/A | 5.3 MEDIUM |
| The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request | |||||
| CVE-2025-3811 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2025-3810 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit_profile_data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-10215 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. | |||||
| CVE-2025-50693 | 1 Phpgurukul | 1 Online Dj Booking Management System | 2025-06-27 | N/A | 6.5 MEDIUM |
| PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php. | |||||
| CVE-2025-25952 | 1 Serosoft | 1 Academia Student Information System | 2025-06-27 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request. | |||||
| CVE-2025-3091 | 2025-06-26 | N/A | 7.5 HIGH | ||
| An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. | |||||
| CVE-2025-3625 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 7.1 HIGH |
| A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA). | |||||
| CVE-2025-3640 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access. | |||||
| CVE-2025-3636 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks. | |||||
| CVE-2025-49995 | 2025-06-23 | N/A | 5.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Attachments: from n/a through 1.3.1. | |||||
| CVE-2025-49978 | 2025-06-23 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobSearch: from n/a through 2.9.0. | |||||
| CVE-2024-23747 | 1 Modernasistemas | 1 Modernanet Hospital Management System 2024 | 2025-06-20 | N/A | 7.5 HIGH |
| The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information. | |||||
| CVE-2024-38447 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 8.1 HIGH |
| NATO NCI ANET 3.4.1 allows Insecure Direct Object Reference via a modified ID field in a request for a private draft report (that belongs to an arbitrary user). | |||||
| CVE-2024-38446 | 1 Ncia | 1 Advisor Network | 2025-06-20 | N/A | 6.5 MEDIUM |
| NATO NCI ANET 3.4.1 mishandles report ownership. A user can create a report and, despite the restrictions imposed by the UI, change the author of that report to an arbitrary user (without their consent or knowledge) via a modified UUID in a POST request. | |||||
| CVE-2024-31815 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2025-06-17 | N/A | 9.1 CRITICAL |
| In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | |||||
| CVE-2023-47022 | 1 Ncr | 1 Terminal Handler | 2025-06-17 | N/A | 6.5 MEDIUM |
| Insecure Direct Object Reference in NCR Terminal Handler v.1.5.1 allows an unprivileged user to edit the audit logs for any user and can lead to CSV injection. | |||||
| CVE-2025-40658 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelection.asp. | |||||
| CVE-2025-40661 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/selection.asp. | |||||
| CVE-2025-40660 | 2025-06-12 | N/A | N/A | ||
| An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/select node/data.asp?mode=catalogue&id1=1&id2=1session=&cod=1&networks=0. | |||||