Page2Flip 2.5 Insecure Direct Object Reference

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...

[SYSS-2015-029] Insecure Direct Object Reference (CWE-932) in Page2Flip Premium App 2.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...

Weebly.com Insecure Direct Object Reference

Title: Hijack any website from weebly.com by just adding an administrator to their website. Insecure Direct Object Reference Vulnerability ===== Weebly is a web-hosting service that allows the user to “drag-and-drop” while using their website builder. As of August 2012, Weebly hosts over 20 milli...

phpList 3.0.10 Insecure Direct Object Reference

Affected software: phplist Type of vulnerability: insecure object reference URL:phplist.com Discovered by: Provensec Website: http://www.provensec.com version: phpList ltd. - v3.0.10 Proof of concept insecure object refrenced on page deltetation vuln param:delete example:...

X (Formerly Twitter): Insecure Direct Object Reference - access to other user/group DM's

Hello, I found a way to access group DM's which i don't have access to, Conditions to be met: - Should have been in that DM group atleast once. Exploitation ways: =============== - let's say they're three twitter profiles, Naruto , Goku and Eren. - Naruto creates a DM group in between himself ,...

X (Formerly Twitter): Insecure direct object reference - have access to deleted DM's

Hello, The bug is straight and simple, I have access to deleted DM's. Once a DM is deleted a user/app will still be able to access the DM's using show DM endpoint Attack Scenario ==================== Their are two accounts Sam and Molly , Sam Dm's Molly something important and both quickly delete...

Vimeo: Insecure Direct Object References that allows to read any comment (even if it should be private)

Dear Vimeo Team, in combination with my previous bug i discovered that it was possible to read any comment on any video even if the video is private: I did a short POC on the Insecure Direct Object Reference. If an attacker wants to exploit this issue he has to know the ID of the comment, which...

Vimeo: CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.

Hello, This time I found a IDORInsecure Direct Object Reference vulnerability. It allows an attacker to get unauthorized access to Videos of Channel whose privacy is set to Only moderators and people I choose without being a member. In simple words, we can access videos of private channel without...

CVE-2014-8372

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...

CVE-2014-8372

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...

Design/Logic Flaw

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...

CVE-2014-8372

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...

CVE-2014-8372

Affected product: AirWatch by VMware On-Premise 7.3.x (prior to 7.3.3.0 FP3). Issue: Direct object reference enables remote authenticated users to view organizational information and statistics of other tenants. This is an information disclosure vulnerability in multi-tenant deployments. Root cau...

ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability EMC Identifier: ESA-2014-156 CVE Identifier: CVE-2014-4629 Severity Rating: CVSS v2 Base Score: 8.2 AV:N/AC:M/Au:S/C:C/I:P/A:C Affected products: • All EMC...

CVE-2014-4629

EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...

Design/Logic Flaw

EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...

CVE-2014-4629

EMC Documentum Content Server is affected by an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2014-4629) in versions 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19. The issue allows remote authenticated attackers to read or delete arbitrary files via unspecified vectors. Remediation...

CVE-2014-4629

EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference...

EMC Documentum Content Server Insecure Direct Object Reference (ESA-2014-156)

The remote host is running a version of EMC Documentum Content Server that is affected by an insecure direct object reference vulnerability, which allows a remote, authenticated attacker to potentially read or delete arbitrary files without authorization. C Tenable Network Security, Inc...

ZTE ZXDSL 831CII - Insecure Direct Object Reference

No description provided by source. Exploit Title: ZTE ZXDSL 831 Insecure Direct Object Reference Date: 11/3/2014 Exploit Author: Paulos Yibelo Vendor Homepage: zte.com.cn Software Link: - Version: - Tested on: Windows 7 CVE :- ZTE ZXDSL 831CII suffers from an insecure direct object reference...