943 matches found
CVE-2022-38789
An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference...
U.S. Dept Of Defense: IDOR when editing email leads to Mass Full ATOs (Account Takeovers) without user interaction on https://██████/
Dear DoD team, I found one critical bug on your domain: https://██████/ It's IDOR. Also this domain is from Hack US program. What is that IDOR? Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user-supplied input to access...
CVE-2022-34769
Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...
CVE-2022-34769
Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...
CVE-2022-34769 Michlol - rashim web interface Insecure direct object references (IDOR)
Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...
CVE-2022-34769 Michlol - rashim web interface Insecure direct object references (IDOR)
Michlol - rashim web interface Insecure direct object references IDOR. First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goa...
CVE-2022-33944
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs...
Design/Logic Flaw
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs...
CVE-2022-33944
The CVE-2022-33944 case concerns MiCODUS MV720 GPS tracker’s web server, which is vulnerable to an authenticated insecure direct object reference (IDOR) on the endpoint and the POST parameter “Device ID,” allowing arbitrary device IDs to be supplied. This vulnerability is highlighted in the ICS a...
Insecure Direct Object References when creating a list
Description Insecure direct object references when creating a list allows one user to create a new list on behalf of another. Proof of Concept POST /list HTTP/2 Host: bookwyrm.social Cookie: djangolanguage=None; csrftoken=I5lj4znBJ9B5HnT3FAsII67G1EISidIKGlsIz5ElN9kmlDwucM2hGKx0Fy4gM8vj;...
Insecure direct object references in "review" function
Description Insecure direct object references in review a book function allows one user to create a comment on behalf of another. Proof of Concept POST /post/review HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=bYsdqkQkkbYXZYRVd8AynhYxG1rBb2AoOfAO76XCYmgzXK3A266EpZamGcKL0pN5;...
Octopus Server 安全漏洞
Octopus Server is an automated deployment platform. Octopus Server has a security vulnerability that stems from the presence of insecure object references, which can be exploited by an attacker to download projects and export them from projects to which they do not have access...
Insecure direct object references in `create-shelf` function
Description Insecure direct object references in create-shelf function allows one user to create a shelf on behalf of another. Proof of Concept POST /create-shelf HTTP/2 Host: book.dansmonorage.blue Cookie: csrftoken=ZpIuGbCcxOyhta5bki4N46N7vknEAcpaG3881kcMAfWKBEYKEiLEeSc3Sr4lUTVa;...
CVE-2022-23173 Priority - Priority web Insecure direct object references (IDOR)
this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get a...
CVE-2022-29434
Insecure Direct Object References IDOR vulnerability in Spiffy Plugins Spiffy Calendar = 4.9.0 at WordPress allows an attacker to edit or delete events...
Spoofing
Insecure Direct Object References IDOR vulnerability in Spiffy Plugins Spiffy Calendar = 4.9.0 at WordPress allows an attacker to edit or delete events...
CVE-2022-29434
The CVE-2022-29434 entry concerns the WordPress Spiffy Calendar plugin (versions
WordPress plugin Spiffy Calendar 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress Spiffy Calendar plugin 4.9.0 and earlier versions are vulnerable to an insecure direct object...
The vulnerability of the software import function of Cisco Enterprise NFV Infrastructure Software (NFVIS) allows a hacker to disclose protected information.
The vulnerability of the Cisco Enterprise NFV Infrastructure Software’s software import function NFVIS is related to incorrect restrictions on XML references to external objects. Exploiting this vulnerability could allow a malicious actor to disclose sensitive information using specially created...
CVE-2022-28986
LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references IDOR vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts...