PT-2025-45383

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0-rc.1 through 4.6.2 Description Zitadel is an open source identity management platform susceptible to secure Direct Object Reference IDOR attacks through its V2Beta API. Authenticated users with specific administrator rol...

EUVD-2025-37759

An Insecure Direct Object Reference IDOR vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors,...

PT-2025-44991

Name of the Vulnerable Software and Affected Versions CFMOTO RIDE affected versions not specified Description An Insecure Direct Object Reference IDOR vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this...

CVE-2025-0987

CVE-2025-0987 affects CVLand (CVLand: 2.1.0 up to 20251103) from CB Project Ltd. Co. A user-controlled key leads to an authorization bypass and parameter injection, per Red Hat, CIRCL, NVD, CVE listings and related sources. The description in connected records confirms the vulnerability stems fro...

Insecure Direct Object Reference (IDOR)

Liferay Portal including Liferay DXP is vulnerable to an Insecure Direct Object Reference IDOR. The vulnerability is due to the Contacts Center widget directly exposing the comliferaycontactswebportletContactsCenterPortletentryId parameter without proper authorization checks. An attackers can use...

CVE-2025-61876

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

EUVD-2025-36721

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

Inforcer Platform 安全漏洞

Inforcer Platform is a multi-tenant management platform from the Dutch company Inforcer. A security vulnerability exists in Inforcer Platform version 2.0.153, which stems from the presence of an insecure direct object reference in the /tenants/id API endpoint, which could lead to a low-privileged...

CVE-2025-61876

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

CVE-2025-61876

Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...

CVE-2025-61876

CVE-2025-61876 is an IDOR flaw in Inforcer Platform 2.0.153 allowing a low-privilege, authenticated user to enumerate and access tenant data from other clients by altering the tenant ID in the /tenants/{id} URL. The Red Hat and NVD records corroborate the issue; the CVSSv3.1 score is 5.0 (Medium)...

PT-2025-44345

Name of the Vulnerable Software and Affected Versions Inforcer Platform version 2.0.153 Description An Insecure Direct Object Reference IDOR exists in the /tenants/id API endpoint. An authenticated user with low privileges can access tenant information belonging to other clients by modifying the...

Revive Adserver: IDOR Vulnerability in Banner Deletion

Summary I found an IDOR vulnerability in Revive Adserver's banner deletion endpoint that lets any Manager delete banners belonging to other Managers. The code validates access to the parent campaign but doesn't check if the user owns the specific banner being deleted. This means Manager A can...

CVE-2025-34293

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...

CVE-2025-62893

...

CVE-2025-60982

IDOR vulnerability in Educare ERP 1.0 2025-04-22 allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object...

PT-2025-43998

Name of the Vulnerable Software and Affected Versions Educare ERP version 1.0 Description An IDOR Insecure Direct Object Reference vulnerability exists that allows unauthorized access to sensitive data through manipulated object references. Affected API endpoints do not enforce proper authorizati...

CVE-2025-60982

IDOR vulnerability in Educare ERP 1.0 2025-04-22 allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object...

CVE-2025-60982

CVE-2025-60982 is an IDOR vulnerability in Educare ERP 1.0. Affected API endpoints fail to enforce authorization, allowing authenticated users to access or modify data belonging to other users by altering object identifiers. The issue is described consistently across multiple feeds (Red Hat, ENIS...

CVE-2025-6639

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...