Non-Privilege user can view Patient's Amendments

Description We would like to report the vulnerability we found during software testing. The OpenEMR 7.0.0 latest version Open-Source electronic health records and medical practice management application has Insecure direct object reference IDOR to function “Patient’s Amendments”, and it never bee...

CVE-2022-34150

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification...

CVE-2022-33944

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs...

Design/Logic Flaw

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs...

Design/Logic Flaw

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification...

CVE-2022-33944 ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs...

CVE-2022-33944

The CVE-2022-33944 case concerns MiCODUS MV720 GPS tracker’s web server, which is vulnerable to an authenticated insecure direct object reference (IDOR) on the endpoint and the POST parameter “Device ID,” allowing arbitrary device IDs to be supplied. This vulnerability is highlighted in the ICS a...

CVE-2022-34150 ICSA-22-200-01 MiCODUS MV720 GPS tracker Authorization Bypass Through User-Controlled Key

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification...

CVE-2022-34150

CVE-2022-34150 affects the MiCODUS MV720 GPS tracker Web server and is an authenticated insecure direct object reference vulnerability on endpoints/parameters for device IDs, enabling an attacker with basic access to manipulate device IDs without further verification (authorization bypass). Publi...

Code injection

Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1...

CVE-2022-2193

HYPR Server contains an Insecure Direct Object Reference (IDOR) in the Device Manager page. Remote authenticated attackers can tamper parameters to add a FIDO2 authenticator to arbitrary accounts. Affected: HYPR Server versions prior to 6.14.1. Remediation: upgrade to 6.14.1 or later.

CVE-2022-2193

Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1...

MiCODUS MV720 GPS 安全漏洞

The MiCODUS MV720 GPS is a GPS tracker from MiCODUS USA. A security vulnerability exists in the MiCODUS MV720 GPS that originates from an authenticated and insecure direct object reference vulnerability in the main web server on the endpoint and parameterized device IDs, which accepts arbitrary...

Insecure direct object references in "review" function

Description Insecure direct object references in review a book function allows one user to create a comment on behalf of another. Proof of Concept POST /post/review HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5;...

CVE-2022-1881

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space...

CVE-2022-1881

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space...

Design/Logic Flaw

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space...

CVE-2022-1881

CVE-2022-1881 affects Octopus Server, with an Insecure Direct Object Reference vulnerability that lets a user download Project Exports from a project they don’t have permission to access, limited to projects in the same Space. Practical impact is potential exposure of export data. Remediation gui...

Insecure direct object references in `create-shelf` function

Description Insecure direct object references in create-shelf function allows one user to create a shelf on behalf of another. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa;...

Insecure Direct Object Reference

idno/known is vulnerable to Insecure Direct Object Reference. The vulnerable getContent and postContent functions in Homepage class in Homepage.php file allow remote authenticated attackers to gain access to certain settings of the admin panel due to the use of createGatekeeper inner function...