CVE-2025-43803

Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...

CVE-2025-10719 WisdomGarden｜Tronclass - Insecure Direct Object Reference

Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files...

WisdomGarden Tronclass 安全漏洞

WisdomGarden Tronclass is an interactive instructional management platform from China WisdomGarden, Inc. A security vulnerability exists in WisdomGarden Tronclass that stems from an insecure direct object reference, which could lead to a remote attacker accessing other user files by modifying...

CVE-2025-10493 Chained Quiz <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie

The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other...

CVE-2025-8463 IDOR in SecHard Information Technologies' SecHard

Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing. This issue affects SecHard: before 3.6.2-20250805...

CVE-2025-7355 IDOR in Beefull Energy Technologies' Beefull App

Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers. This issue affects Beefull App: before 24.07.2025...

CVE-2025-43790

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

GHSA-WR8M-5H2P-4432 Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

CVE-2025-43782

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

CVE-2025-43790

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

CVE-2025-43782

Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

CVE-2025-7718 Resideo Plugin for Resideo - Real Estate WordPress Theme <= 2.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover

The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user's identity prior to updating their details like email...

Linux Distros Unpatched Vulnerability : CVE-2020-27742

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the...

CVE-2025-52389

An Insecure Direct Object Reference IDOR in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request...

CVE-2025-52389

An Insecure Direct Object Reference IDOR in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request...

PT-2025-36502

Name of the Vulnerable Software and Affected Versions: Envasadora H2O Eireli - Soda Cristal version 40.20.4 Description: An Insecure Direct Object Reference IDOR exists in Envasadora H2O Eireli - Soda Cristal version 40.20.4. Authenticated attackers can access sensitive data belonging to other...

Awesome-Bugbounty-Writeups

This is a curated list of bug bounty writeups, specifically focusing on various types of web application vulnerabilities. The repository is organized by vulnerability type, with sections for Cross-Site Scripting XSS, Cross-Site Request Forgery CSRF, Clickjacking, Local File Inclusion LFI, Subdoma...

CVE-2024-13063 IDOR in Akinsoft's MyRezzta

Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft MyRezzta allows Forceful Browsing. This issue affects MyRezzta: from s2.02.02 before v2.05.01...