3429 matches found
sysPass 1.0.9 Insecure Direct Object Reference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-046 Product: sysPass Manufacturer: http://cygnux.org/ Affected Versions: 1.0.9 and below Tested Versions: 1.0.9 Vulnerability Type: Insecure Direct Object References CWE-932 Exposure of Backup File to an Unauthorized Control...
Insecure Direct Object Reference
The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...
Insecure Direct Object Reference
The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...
Page2Flip 2.5 Insecure Direct Object Reference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...
[SYSS-2015-029] Insecure Direct Object Reference (CWE-932) in Page2Flip Premium App 2.5
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...
Weebly.com Insecure Direct Object Reference
Title: Hijack any website from weebly.com by just adding an administrator to their website. Insecure Direct Object Reference Vulnerability ===== Weebly is a web-hosting service that allows the user to drag-and-drop while using their website builder. As of August 2012, Weebly hosts over 20 milli...
X (Formerly Twitter): Insecure Direct Object Reference - access to other user/group DM's
Hello, I found a way to access group DM's which i don't have access to, Conditions to be met: - Should have been in that DM group atleast once. Exploitation ways: =============== - let's say they're three twitter profiles, Naruto , Goku and Eren. - Naruto creates a DM group in between himself ,...
X (Formerly Twitter): Insecure direct object reference - have access to deleted DM's
Hello, The bug is straight and simple, I have access to deleted DM's. Once a DM is deleted a user/app will still be able to access the DM's using show DM endpoint Attack Scenario ==================== Their are two accounts Sam and Molly , Sam Dm's Molly something important and both quickly delete...
Vimeo: Insecure Direct Object References that allows to read any comment (even if it should be private)
Dear Vimeo Team, in combination with my previous bug i discovered that it was possible to read any comment on any video even if the video is private: I did a short POC on the Insecure Direct Object Reference. If an attacker wants to exploit this issue he has to know the ID of the comment, which...
Vimeo: CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Hello, This time I found a IDORInsecure Direct Object Reference vulnerability. It allows an attacker to get unauthorized access to Videos of Channel whose privacy is set to Only moderators and people I choose without being a member. In simple words, we can access videos of private channel without...
CVE-2014-8372
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...
CVE-2014-8372
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...
Design/Logic Flaw
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...
CVE-2014-8372
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...
CVE-2014-8372
Affected product: AirWatch by VMware On-Premise 7.3.x (prior to 7.3.3.0 FP3). Issue: Direct object reference enables remote authenticated users to view organizational information and statistics of other tenants. This is an information disclosure vulnerability in multi-tenant deployments. Root cau...
ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability EMC Identifier: ESA-2014-156 CVE Identifier: CVE-2014-4629 Severity Rating: CVSS v2 Base Score: 8.2 AV:N/AC:M/Au:S/C:C/I:P/A:C Affected products: • All EMC...
CVE-2014-4629
EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...
Design/Logic Flaw
EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...
CVE-2014-4629
EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...
CVE-2014-4629
EMC Documentum Content Server is affected by an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2014-4629) in versions 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19. The issue allows remote authenticated attackers to read or delete arbitrary files via unspecified vectors. Remediation...