704 matches found
CVE-2025-66132 WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through = 2.2.30...
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...
WordPress WP Recipe Maker plugin <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure vulnerability
Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Recipe Maker versions = 10.2.2...
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...
CVE-2025-61148
An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...
CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A
Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...
CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A
Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...
CVE-2025-13932
CVE-2025-13932 concerns the SolisCloud API, where an Insecure Direct Object Reference (IDOR) allows any authenticated user to view detailed data of any plant by changing the plant_id in the request. The issue is described consistently across Red Hat, NVD, CVE lists, EUVD, and related advisories, ...
CVE-2025-12997
Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: befo...
CVE-2025-61148
An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...
Medtronic CareLink Network 安全漏洞
Medtronic CareLink Network is an open source platform for remote monitoring of cardiac patients by Medtronic in the United States. A security vulnerability exists in versions of Medtronic CareLink Network prior to December 4, 2025, which stems from an insecure direct object reference that could...
CVE-2025-13109
CVE-2025-13109 concerns the WordPress plugin HUSKY – Products Filter Professional for WooCommerce (versions
EUVD-2025-200981
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...
WordPress HUSKY plugin <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' vulnerability
Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddquery/woofremovequery' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.2...
Grav Insecure Direct Object Reference Vulnerability
Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav has an insecure direct object reference vulnerability, the vulnerability stems from the application does not correctly implement the access control...
PT-2025-48805
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof add query" and "woof remove query" functions due to missing validation on a user controlled key. This makes i...
GHSA-4CWQ-J7JV-QMWG Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
Summary An IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk...
CVE-2025-65672
Insecure Direct Object Reference IDOR in classroomio 0.1.13 allows unauthorized share and invite access to course settings...
Grav 安全漏洞
Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav has an insecure direct object reference vulnerability, the vulnerability stems from the application does not correctly implement the access control...