Rockstar Games: Modifying Sprunk vs eCola crew data

In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that was exploitable in certain Rockstar Official Crews on the Social Club website. Rockstar Official Crews, unlike user-made Crews, use a flat hierarchy where all members are set to the same effective...

CVE-2022-34621

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...

CVE-2022-34621

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...

CVE-2022-34621

Mealie 1.0.0beta3 is affected by an Insecure Direct Object Reference (IDOR) vulnerability triggered via modification of the user_id parameter, enabling attackers to modify user passwords and other attributes. The root cause is an IDOR flaw that exposes unauthorized access to user data. Public dis...

PT-2022-22250 · Mealie · Mealie

Name of the Vulnerable Software and Affected Versions: Mealie version 1.0.0beta3 Description: The issue allows attackers to modify user passwords and other attributes via modification of the user id parameter. This is due to an Insecure Direct Object Reference IDOR vulnerability. Recommendations:...

PT-2022-6404 · Adobe · Commerce

Name of the Vulnerable Software and Affected Versions: Adobe Commerce versions 2.4.3-p2 and earlier Adobe Commerce versions 2.3.7-p3 and earlier Adobe Commerce versions 2.4.4 and earlier Description: The issue is related to insufficient input validation, allowing a remote attacker to potentially...

CVE-2022-34769

Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...

CVE-2022-36284

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin = 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin free should be at least installed to get the extra input field on the user profile page...

CVE-2022-34769

Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...

CVE-2022-2499

An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited b...

CVE-2022-34769 Michlol - rashim web interface Insecure direct object references (IDOR)

Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...

CVE-2022-34769 Michlol - rashim web interface Insecure direct object references (IDOR)

Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...

CVE-2022-2499

GitLab EE Jira integration contains an insecure direct object reference vulnerability that may allow an attacker to leak Jira issues. Affected GitLab EE versions: 13.10–15.0.4, 15.1–15.1.3, and 15.2–15.2.0. Root cause is an insecure direct object reference in the Jira integration. Remediation by ...

WordPress plugin ActiveDEMAND 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. An authorization issue vulnerabilit...

Michlol Solutions rashim web interface 操作系统命令注入漏洞

Michlol Solutions rashim web interface is a web interface from Michlol Solutions. An operating system command injection vulnerability exists in the Michlol Solutions rashim web interface prior to version 187.4392, which stems from an insecure direct object reference IDOR in the web interface that...

PT-2022-17035 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 13.10 through 15.0.4 GitLab EE versions 15.1 through 15.1.3 GitLab EE versions 15.2 through 15.2.0 Description: An issue has been discovered in GitLab EE's Jira integration, which has an insecure direct object reference...

PT-2022-22319 · Unknown · Michlol - Rashim Web Interface

Name of the Vulnerable Software and Affected Versions: Michlol - rashim web interface affected versions not specified Description: The issue is related to Insecure Direct Object References IDOR in the Michlol - rashim web interface. An attacker needs to login to the system first. After logging in...

GitLab 13.10 < 15.0.5 / 15.1 < 15.1.4 / 15.2 < 15.2.1 (CVE-2022-2499)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab...

CVE-2022-34769

Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...

Primary Arms PII Disclosure via IDOR (FIXED)

Update August 2, 2022: This issue was resolved by Primary Arms the same day Rapid7 published this report, and the IDOR vulnerability appears to be no longer exploitable. The Primary Arms website, a popular e-commerce site dealing in firearms and firearms-related merchandise, suffers from an...