Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
insecure direct object reference vulnerabilities and exploits
(subscribe to this query)
4.3
CVSSv3
CVE-2022-27108
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
Orangehrm Orangehrm 4.10
6.5
CVSSv3
CVE-2022-23061
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.
Shopizer Shopizer
4.3
CVSSv3
CVE-2020-8297
Nextcloud Deck prior to 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user.
Nextcloud Deck
6.5
CVSSv3
CVE-2017-16631
In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality.
Sapphireims Sapphireims 4097 1
7.5
CVSSv3
CVE-2022-43326
An Insecure Direct Object Reference (IDOR) vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4.[*] allows malicious users to arbitrarily change user and Administrator account passwords.
Telosalliance Omnia Mpx Node Firmware
7.5
CVSSv3
CVE-2022-22828
An insecure direct object reference for the file-download URL in Synametrics SynaMan prior to 5.0 allows a remote malicious user to access unshared files via a modified base64-encoded filename string.
Synametrics Synaman
1 Github repository
5.4
CVSSv3
CVE-2022-34150
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.
Micodus Mv720 Firmware -
1 Article
8.1
CVSSv3
CVE-2022-25471
An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated malicious user to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.
Open-emr Openemr 6.0.0
8.8
CVSSv3
CVE-2018-16608
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR).
Monstra Monstra 3.0.4
7.5
CVSSv3
CVE-2023-38884
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote malicious user to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>'
Os4ed Opensis 9.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-40673
CVE-2024-36674
CVE-2024-27348
unspecified
CVE-2024-24919
CVE-2024-4870
malicious code
CVE-2024-2019
hard-coded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »