Nextcloud Server 安全漏洞

Nextcloud Server is a Nextcloud server program from Nextcloud Open Source. A security vulnerability exists in Nextcloud Server version 30.0.0, which stems from the presence of an insecure direct object reference in the /core/preview endpoint that could lead to unauthorized access to sensitive dat...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

PT-2025-50959

Name of the Vulnerable Software and Affected Versions Nextcloud Server version 30.0.0 Description Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference IDOR issue in the /core/preview endpoint. An authenticated user can access previews of arbitrary files belonging to other users by...

📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference

EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability. ============================================================================================================================================= | Title : EduplusCampus student portal v 3.0.1...

CVE-2025-13124 IDOR in Netiket''s ApplyLogic

Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025...

CVE-2025-13003

CVE-2025-13003 describes an Authorization Bypass Through User-Controlled Key in AxOnboard (Aksis Computer Services and Consulting Inc.), affecting version 3.2.0 up to 3.3.0. The root cause is not detailed beyond the user-controlled key enabling exploitation of trusted identifiers. Documented impa...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-61148

An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...

CVE-2020-36895

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-41358

CVE-2025-41358 describes a Direct Object Reference (IDOR) in i2A’s CronosWeb. Affected: CronosWeb versions before and including 25.00.00.12. Root cause: manipulation of the request parameter “documentCode” in /CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas allows an au...

PT-2025-50516

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...

CVE-2025-67594

CVE-2025-67594 references indicate an insecure direct object references (IDOR) vulnerability in the WordPress plugin Thim Elementor Kit

MiniDVBLinux 安全漏洞

MiniDVBLinux is a multimedia center software from the German company MiniDVBLinux. A security vulnerability exists in MiniDVBLinux version 5.4, which stems from an insecure direct object reference that could lead to a configuration disclosure...

WordPress Fluent Forms plugin <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id vulnerability

Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submissionid vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin FluentForm versions = 6.1.7...