Total
859 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-16194 | 1 Store-opart | 1 Quote | 2024-11-21 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. | ||||
| CVE-2020-15958 | 1 1crm | 1 1crm | 2024-11-21 | 8.6 High |
| An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL. | ||||
| CVE-2020-14174 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1. | ||||
| CVE-2020-13998 | 1 Citrix | 1 Xenapp | 2024-11-21 | 5.3 Medium |
| Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.3 Medium |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | ||||
| CVE-2020-13700 | 1 Acf To Rest Api Project | 1 Acf To Rest Api | 2024-11-21 | 7.5 High |
| An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. | ||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2024-11-21 | 5.7 Medium |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | ||||
| CVE-2020-13357 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project. | ||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.3 Medium |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | ||||
| CVE-2020-11659 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-11-21 | 4.3 Medium |
| CA API Developer Portal 4.3.1 and earlier contains an access control flaw that allows privileged users to perform a restricted user administration action. | ||||
| CVE-2020-11658 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-11-21 | 9.8 Critical |
| CA API Developer Portal 4.3.1 and earlier handles shared secret keys in an insecure manner, which allows attackers to bypass authorization. | ||||
| CVE-2020-11589 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 High |
| An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only. | ||||
| CVE-2020-11585 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 4.3 Medium |
| There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter. | ||||
| CVE-2020-11009 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | 6.5 Medium |
| In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6 | ||||
| CVE-2020-10779 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-11-21 | 6.5 Medium |
| Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms. | ||||
| CVE-2020-10130 | 1 Searchblox | 1 Searchblox | 2024-11-21 | 8.8 High |
| SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system. | ||||
| CVE-2019-9938 | 1 Ushareit | 1 Shareit | 2024-11-21 | N/A |
| The SHAREit application before 4.0.42 for Android allows a remote attacker (on the same network or joining public "open" Wi-Fi hotspots created by the application when file transfer is initiated) to download arbitrary files from the device including contacts, photos, videos, sound clips, etc. The attacker must be authenticated as a "recognized device." | ||||
| CVE-2019-9921 | 1 Harmistechnology | 1 Je Messenger | 2024-11-21 | 6.5 Medium |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. It is possible to read information that should only be accessible by a different user. | ||||
| CVE-2019-9756 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a different vulnerability than CVE-2019-9732. | ||||
| CVE-2019-9219 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control (issue 2 of 5). | ||||