GHSA-5WXC-3JFW-W94P Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

GHSA-WR8M-5H2P-4432 Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

CVE-2025-43790

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

CVE-2025-43782

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

CVE-2025-43790

CVE-2025-43790 is an IDOR vulnerability in Liferay Portal 7.4.0–7.4.3.124 and Liferay DXP 2024.Q2.0–2024.Q2.6, 2024.Q1.1–2024.Q1.12, and 7.4 GA through update 92. The issue allows remote authenticated users to move from one virtual instance to access, create, edit, or relate data/definitions in a...

CVE-2025-43782

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

PT-2025-37252

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.0 through 7.4.3.124 Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 Liferay DXP versions 2024.Q2.0 through 2024.Q2.7 Description: An Insecure Direct Object Reference IDOR vulnerability exists in Liferay Portal an...

CVE-2025-7718 Resideo Plugin for Resideo - Real Estate WordPress Theme <= 2.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover

The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user's identity prior to updating their details like email...

CVE-2025-7718 Resideo Plugin for Resideo - Real Estate WordPress Theme <= 2.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover

The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user's identity prior to updating their details like email...

CVE-2025-52389

An Insecure Direct Object Reference IDOR in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request...

Linux Distros Unpatched Vulnerability : CVE-2020-27742

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the...

CVE-2025-52389

An Insecure Direct Object Reference IDOR in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request...

Envasadora H2O Soda Cristal 安全漏洞

Envasadora H2O Soda Cristal is an application from Envasadora H2O, Brazil. A security vulnerability exists in Envasadora H2O Soda Cristal version v40.20.4, which stems from an insecure direct object reference that could lead to the disclosure of sensitive data...

PT-2025-36502

Name of the Vulnerable Software and Affected Versions: Envasadora H2O Eireli - Soda Cristal version 40.20.4 Description: An Insecure Direct Object Reference IDOR exists in Envasadora H2O Eireli - Soda Cristal version 40.20.4. Authenticated attackers can access sensitive data belonging to other...

CUSEC-2020

Based on the provided code and context, here is a summary of the analysis: Classification: This is an Insecure Direct Object Reference IDOR bug. Background: The bug occurs when the application does not verify that the current user is authorized to access a resource with a specific ID. In this cas...

Awesome-Bugbounty-Writeups

This is a curated list of bug bounty writeups, specifically focusing on various types of web application vulnerabilities. The repository is organized by vulnerability type, with sections for Cross-Site Scripting XSS, Cross-Site Request Forgery CSRF, Clickjacking, Local File Inclusion LFI, Subdoma...

CVE-2024-13063

Summary: CVE-2024-13063 affects Akinsoft MyRezzta (web application). An authorization bypass via a user-controlled key enables forceful browsing (IDOR) against the product. The vulnerability’s affected range is stated as MyRezzta versions from s2.02.02 before v2.05.01; upgrading to v2.05.01 or ne...

Linux Distros Unpatched Vulnerability : CVE-2020-27662

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any database table...