2754 matches found
EUVD-2025-36721
Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...
CVE-2025-61876
Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...
CVE-2025-61876
Insecure Direct Object Reference IDOR in /tenants/id API endpoint in Inforcer Platform version 2.0.153 allows an authenticated user with low privileges to enumerate and access tenant information belonging to other clients via modification of the tenant ID in the request URL...
PT-2025-44345
Name of the Vulnerable Software and Affected Versions Inforcer Platform version 2.0.153 Description An Insecure Direct Object Reference IDOR exists in the /tenants/id API endpoint. An authenticated user with low privileges can access tenant information belonging to other clients by modifying the...
Revive Adserver: IDOR Vulnerability in Banner Deletion
Summary I found an IDOR vulnerability in Revive Adserver's banner deletion endpoint that lets any Manager delete banners belonging to other Managers. The code validates access to the parent campaign but doesn't check if the user owns the specific banner being deleted. This means Manager A can...
CVE-2025-60982
IDOR vulnerability in Educare ERP 1.0 2025-04-22 allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object...
CVE-2025-6639
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...
EUVD-2025-35899
GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...
PT-2025-43711
Name of the Vulnerable Software and Affected Versions Tutor LMS Pro versions prior to 3.8.4 Description The Tutor LMS Pro plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of proper validation on a user-controlled key when handling assignment...
CVE-2025-34293
GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...
CVE-2025-34293
GN4 Publishing System before 2.6 is affected by an insecure direct object reference (IDOR) via the API. Authenticated requests to object endpoints allow an authenticated user to query arbitrary user IDs and retrieve sensitive data, including stored passwords and the account’s security question/an...
Insecure Direct Object Reference (IDOR)
com.liferay, com.liferay.object.service is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control between virtual instances, which allows an attacker to access, create, edit, or relate data and object entries/definitions across different virtu...
CVE-2025-49952 WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through = 4.2.5...
CVE-2025-60511
The CVE-2025-60511 instance affects Moodle OpenAI Chat Block plugin 3.0.1, with an Insecure Direct Object Reference (IDOR) due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user’s block (e.g., admini...
CVE-2025-11519
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...
CVE-2025-11519
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...
CVE-2025-11741 WPC Smart Quick View for WooCommerce <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosqquickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated...
CVE-2025-11741 WPC Smart Quick View for WooCommerce <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosqquickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated...
WordPress WPC Smart Quick View for WooCommerce plugin <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure vulnerability
Insecure Direct Object Reference to Unauthenticated Private Product Exposure vulnerability discovered by Lucas Montes Nirox in WordPress Plugin WPC Smart Quick View for WooCommerce versions = 4.2.5...
CVE-2025-9559
Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data...