PT-2025-51921

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. A flaw exists where an authenticated user with specific permissions "Edit Records" and "Manage Properties and Classifications" can inject a...

PT-2025-51888

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 20.1 AVideo versions prior to 20.0 Description AVideo versions prior to 20.1 have a flaw where authenticated users can upload files into directories owned by other users. This is due to an insecure direct object...

CVE-2025-67985

CVE-2025-67985 affects Document Library Lite (WordPress plugin) with an Unauthenticated Insecure Direct Object Reference due to insecure access controls. Impact recorded as medium (CVSS ~5.3) in the source; affected versions are Document Library Lite

CVE-2025-67985 WordPress Document Library Lite plugin <= 1.1.7 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through = 1.1.7...

CVE-2025-66132

CVE-2025-66132 affects FAPI Member (WordPress plugin) according to Wordfence vulnerability details. The issue is described as an Unauthenticated Insecure Direct Object Reference (IDOR) affecting FAPI Member, with affected software listed as FAPI Member and versions up to at least 2.2.29. The entr...

WordPress Essential Real Estate plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

Insecure Direct Object Reference (IDOR)

getgrav/grav is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper access control in the Admin Panel, which allows a low-privilege attacker to access sensitive information of other users by manipulating direct object references...

📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference

EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability. ============================================================================================================================================= | Title : EduplusCampus student portal v 3.0.1...

PT-2025-50959

Name of the Vulnerable Software and Affected Versions Nextcloud Server version 30.0.0 Description Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference IDOR issue in the /core/preview endpoint. An authenticated user can access previews of arbitrary files belonging to other users by...

Nextcloud Server 安全漏洞

Nextcloud Server is a Nextcloud server program from Nextcloud Open Source. A security vulnerability exists in Nextcloud Server version 30.0.0, which stems from the presence of an insecure direct object reference in the /core/preview endpoint that could lead to unauthorized access to sensitive dat...

CVE-2025-13124 IDOR in Netiket''s ApplyLogic

Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025...

CVE-2025-13003

CVE-2025-13003 describes an Authorization Bypass Through User-Controlled Key in AxOnboard (Aksis Computer Services and Consulting Inc.), affecting version 3.2.0 up to 3.3.0. The root cause is not detailed beyond the user-controlled key enabling exploitation of trusted identifiers. Documented impa...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...

CVE-2020-36895

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

EUVD-2025-202413

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-41358

CVE-2025-41358 describes a Direct Object Reference (IDOR) in i2A’s CronosWeb. Affected: CronosWeb versions before and including 25.00.00.12. Root cause: manipulation of the request parameter “documentCode” in /CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas allows an au...

PT-2025-50516

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...