CVE-2025-48202

The CVE-2025-48202 entry applies to the TYPO3 femanager extension (versions up to 8.2.1). The vulnerability is an Insecure Direct Object Reference (IDOR) in the newAction of the newController, allowing attackers to view frontend user data via a user parameter. Root cause is unsafe direct object r...

CVE-2025-48205

The srfeuserregister extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference...

TYPO3 安全漏洞

TYPO3 is a free and open source content management system framework CMS/CMF from the Swiss TYPO3 Association. A security vulnerability exists in TYPO3 version 12.4.8 and earlier, which stems from the presence of an unsafe direct object reference...

CVE-2025-48207

The reintdownloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference...

CVE-2025-48202

The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference...

CVE-2025-48205

The srfeuserregister extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference...

PT-2025-22371

Name of the Vulnerable Software and Affected Versions femanager extension versions prior to 8.2.2 Description The issue allows attackers to view frontend user data. This is achieved through an Insecure Direct Object Reference IDOR in the femanager TYPO3 extension, where attackers can exploit a us...

PT-2025-22391

Name of the Vulnerable Software and Affected Versions reint downloadmanager extension versions prior to 5.0.1 Description The issue allows Insecure Direct Object Reference, enabling remote attackers to read arbitrary files via the downloaduid parameter in the "downloadAction". Recommendations For...

TYPO3-EXT-SA-2025-004: Insecure Direct Object Reference in extension "Download manager" (reint_downloadmanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-004...

TYPO3-EXT-SA-2025-006: Insecure Direct Object Reference in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-006...

CVE-2025-3769

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'viewbookingsummaryinlightbox' due to missing validation on a user controlled key. This makes it possible...

CVE-2024-8988

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the filedownload REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

CVE-2025-4762

CVE-2025-4762 affects eSigna versions 1.0–1.5, via an IDOR in the eSignaViewer component that lets an unauthenticated attacker access arbitrary files in the document system by manipulating file paths and object identifiers. The PT-2025-21276 entry confirms the vulnerable component and remediation...

CVE-2024-52601 iTop portal Insecure Direct Object Reference vulnerability

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue...

CVE-2025-3769

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'viewbookingsummaryinlightbox' due to missing validation on a user controlled key. This makes it possible...

CVE-2025-3769 Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'viewbookingsummaryinlightbox' due to missing validation on a user controlled key. This makes it possible...

CVE-2025-3769

CVE-2025-3769 – LatePoint (WordPress) Unauthenticated IDOR Affected software: LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). Root cause: Insecure Direct Object Reference due to missing validation on a user-controlled key in the view_booking_summary_in_lightbox endpoi...

CVE-2024-8988

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the filedownload REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

CVE-2024-8988

CVE-2024-8988 concerns PeepSo Core: File Uploads for WordPress. It allows an unauthenticated attacker to exploit an Insecure Direct Object Reference via the file_download REST endpoint due to missing validation on a user-controlled key, enabling download of files uploaded by other users. Affected...

IDOR Vulnerability in Template Creation via `projectId` Manipulation

Description An Insecure Direct Object Reference IDOR vulnerability exists in the POST /v1/templates endpoint of the Lunary API. This allows an authenticated user to create templates in another user’s project by modifying the projectId query parameter. This occurs due to a lack of server-side...