4428 matches found
CVE-2025-48878
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
EUVD-2025-60937
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...
CVE-2025-11532
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...
CVE-2025-12126 The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation
The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access a...
CVE-2025-12126
CVE-2025-12126 affects The Total Book Project WordPress plugin (versions ≤ 1.0). Root cause: insecure direct object reference due to missing validation of a user-controlled key, enabling authenticated users with Contributor+ privileges to move/delete/create chapters in books not owned by them. Im...
CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...
CVE-2025-11532 Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlistid' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists...
CVE-2025-11532
CVE-2025-11532 affects the Wisly WordPress plugin (versions
WordPress plugin The Total Book Project 安全漏洞
WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability exists in...
PT-2025-46249
Name of the Vulnerable Software and Affected Versions Wisly plugin for WordPress versions prior to 1.0.1 Description The Wisly plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions up to and including 1.0.0. This is due to a lack of validation on the wishlis...
PT-2025-46273
Name of the Vulnerable Software and Affected Versions The Total Book Project plugin for WordPress versions prior to 1.1 Description The software is susceptible to an Insecure Direct Object Reference issue. This impacts authenticated attackers with Contributor-level access or higher, allowing them...
CVE-2025-48878
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
EUVD-2025-50777
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...
CVE-2025-48878
CVE-2025-48878 affects Combodo iTop (3.x) prior to 3.2.2. The vulnerability is an insecure direct object reference that allows a user (e.g., with a Service desk agent profile) to create a ModuleInstallation object when they should not be able to. The issue is resolved in 3.2.2. Impact details are...
PT-2025-46195
Name of the Vulnerable Software and Affected Versions Combodo iTop versions prior to 3.2.2 Description Combodo iTop is a web based IT service management tool. An insecure direct object reference allows a user, such as one with a Service desk agent profile, to create a ModuleInstallation object wh...
lemlist: Authentication Bypass in Subscription Management Endpoint
A vulnerability was identified in the subscription management functionality that allowed unauthorized access to customer billing information. The issue stemmed from insufficient authentication and authorization controls on an API endpoint. The vulnerability was classified as an Insecure Direct...
GHSA-FQQ7-H225-8W6H Skuul School Management System has an Insecure Direct Object Reference (IDOR) Vulnerability in View Fee Invoice
A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoiceid results in improper control of...