CVE-2022-29627

An insecure direct object reference IDOR in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers...

Moodle Insecure direct object reference (IDOR) in a calendar web service

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events...

GHSA-G39C-MCCF-RXJV Moodle Insecure direct object reference (IDOR) in a calendar web service

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events...

Magento is affected by an improper input validation vulnerability

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and privile...

GHSA-R345-X8HR-2R9P acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

GHSA-PFXV-66R9-4GQW Magento Insufficient authorization check when adding users to company accounts

An insecure direct object reference IDOR vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing us...

WordPress Spiffy Calendar plugin insecure direct object reference vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress Spiffy Calendar plugin 4.9.0 and earlier versions are vulnerable to an insecure direct object...

CVE-2022-29434

Insecure Direct Object References IDOR vulnerability in Spiffy Plugins Spiffy Calendar = 4.9.0 at WordPress allows an attacker to edit or delete events...

CVE-2022-29434

Insecure Direct Object References IDOR vulnerability in Spiffy Plugins Spiffy Calendar = 4.9.0 at WordPress allows an attacker to edit or delete events...

Spoofing

Insecure Direct Object References IDOR vulnerability in Spiffy Plugins Spiffy Calendar = 4.9.0 at WordPress allows an attacker to edit or delete events...

CVE-2022-29434

The CVE-2022-29434 entry concerns the WordPress Spiffy Calendar plugin (versions

GitLab 11.0 < 14.8.6 / 14.9 < 14.9.4 / 14.10 < 14.10.1 (CVE-2022-1352)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the...

CVE-2022-1425

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the messageid of the wpqamessageview ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Dire...

Design/Logic Flaw

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the messageid of the wpqamessageview ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Dire...

CVE-2022-1425

The CVE concerns the WPQA Builder Plugin for WordPress (pre-5.2), used with the Discy and Himer plugins. The vulnerability arises because the wpqa_message_view AJAX action does not validate that the message_id belongs to the requesting user, enabling an IDOR disclosure where any authenticated use...

CVE-2022-27247

onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer e.g., data of birth, full address, mail information, and phone number via GastKont Insecure Direct Object Reference...

CVE-2022-27247

onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer e.g., data of birth, full address, mail information, and phone number via GastKont Insecure Direct Object Reference...

Design/Logic Flaw

onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer e.g., data of birth, full address, mail information, and phone number via GastKont Insecure Direct Object Reference...

CVE-2022-27247

onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer e.g., data of birth, full address, mail information, and phone number via GastKont Insecure Direct Object Reference...