Total
444 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-13337 | 1 Weseek | 1 Growi | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token (this is the parameter used by the API). No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is required. | |||||
CVE-2019-12742 | 1 Bludit | 1 Bludit | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter). | |||||
CVE-2018-16608 | 1 Monstra | 1 Monstra | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change the password of the administrator via an admin/index.php?id=users&action=edit&user_id=1, Insecure Direct Object Reference (IDOR). | |||||
CVE-2018-1000210 | 1 Yamldotnet Project | 1 Yamldotnet | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0. | |||||
CVE-2018-16971 | 1 Wisetail | 1 Learning Management System | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
Wisetail Learning Ecosystem (LE) through v4.11.6 allows insecure direct object reference (IDOR) attacks to access non-purchased course contents (quiz / test) via a modified id parameter. | |||||
CVE-2018-16704 | 1 Gleeztech | 1 Gleezcms | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Gleez CMS v1.2.0. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged in users) to view profile page of other users, as demonstrated by navigating to user/3 on demo.gleezcms.org. | |||||
CVE-2018-15833 | 1 Vanillaforums | 1 Vanilla Forums | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Vanilla before 2.6.1, the polling functionality allows Insecure Direct Object Reference (IDOR) via the Poll ID, leading to the ability of a single user to select multiple Poll Options (e.g., vote for multiple items). | |||||
CVE-2018-16606 | 1 Proconf | 1 Proconf | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). | |||||
CVE-2017-0936 | 1 Nextcloud | 1 Nextcloud Server | 2023-12-10 | 4.9 MEDIUM | 5.7 MEDIUM |
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user. | |||||
CVE-2018-10211 | 1 Vaultize | 1 Enterprise File Sharing | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is improper authorization when listing the history of another user via a modified "vaultize_session_id" value in a cookie. | |||||
CVE-2017-15204 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. | |||||
CVE-2017-15207 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. | |||||
CVE-2017-15200 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user. | |||||
CVE-2017-15211 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. | |||||
CVE-2017-15203 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. | |||||
CVE-2017-15199 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description. | |||||
CVE-2017-15197 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. | |||||
CVE-2017-15201 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. | |||||
CVE-2017-15195 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user. | |||||
CVE-2017-15208 | 1 Kanboard | 1 Kanboard | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. |