CVE-2024-13692

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...

CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...

CVE-2024-13692

The CVE-2024-13692 entry for Return Refund and Exchange For WooCommerce (woo-refund-and-exchange-lite) is confirmed as a real vulnerability. It is an Insecure Direct Object Reference (IDOR) in all versions up to 4.4.5 caused by missing validation on a user-controlled key. This flaw allows unauthe...

CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...

CVE-2024-33818

Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference IDOR via the userID parameter...

ManageEngine Endpoint Central 11.3.2428.x <= 11.3.2428.01, 11.3.2440.x <= 11.3.2440.0 Insecure Direct Object References

The version of ManageEngine Endpoint Central installed on the remote Windows host is either prior to 11.3.2428.26 or prior to 11.3.2440.09. It is,therefore, affected by an insecure direct object references vulnerability. For more information, consult the vendor advisory. Note that Nessus has not...

WordPress Return Refund and Exchange For WooCommerce plugin <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference vulnerability discovered by Tim Coen in WordPress Plugin Return Refund and Exchange For WooCommerce versions = 4.4.5...

CVE-2025-1270

CVE-2025-1270 describes an IDOR vulnerability in Anapi Group’s h6web. An authenticated attacker can access other users’ information by sending a POST to /h6web/ha_datos_hermano.php and altering the pkrelated parameter to reference a different user, with the first request potentially enabling impe...

Vulnerabilities fixed in GitLab CE/EE

GitLab has fixed vulnerabilities in GitLab CE/EE Specifically for versions 14.1 to 17.8.2. The vulnerabilities include a denial-of-service vulnerability, an external service interaction vulnerability, a critical XSS vulnerability, improper authorization vulnerabilities, an insecure direct object...

PT-2025-6871

Name of the Vulnerable Software and Affected Versions: h6web affected versions not specified Description: The issue is related to an insecure direct object reference IDOR vulnerability. It allows an authenticated attacker to access other users' information by making a POST request and modifying t...

UBUNTU-CVE-2025-1042

An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...

CVE-2025-1042

CVE-2025-1042 is an insecure direct object reference in GitLab EE that allowed viewing repositories without authorization in affected releases: 15.7 up to 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. The vulnerability’s root cause is improper access control on repository data, with no exploi...

CVE-2025-1042 Files or Directories Accessible to External Parties in GitLab

An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...

CVE-2024-13601

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...

CVE-2024-13601

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...

CVE-2024-13601 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin <= 1.0.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...

CVE-2024-13601

CVE-2024-13601 affects Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin for WordPress. Description: Insecure Direct Object Reference via exportusereraserequest in all versions up to 1.0.5, enabling authenticated users with Subscriber+ access to export ticket data for any us...

CVE-2024-13601 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin <= 1.0.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes i...

GitLab Enterprise Edition 安全漏洞

GitLab Enterprise Edition EE is a content management system from GitLab, Inc. in the United States. A security vulnerability exists in GitLab Enterprise Edition that stems from an insecure direct object reference that results in unauthorized repository access...

CVE-2024-12046

The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedicalelementortemplate' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers,...