Improper access control

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

CVE-2020-8235

CVE-2020-8235 affects Nextcloud Deck 1.0.4, where missing access control enables an insecure direct object reference to view all attachments. Root cause: inadequate access checks when accessing attachments from the Deck task view, leading to exposure of user-owned files. Public references in the ...

CVE-2020-8235

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

CVE-2020-7709

This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported...

CVE-2020-7709

This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported...

CVE-2020-16240

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference IDOR vulnerability allows user account data to be downloaded in JavaScript object notation JSON format by users who should not have access to such functionality. An attacker can download sensitive data related to...

CVE-2020-16244

GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data...

CVE-2020-16240

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference IDOR vulnerability allows user account data to be downloaded in JavaScript object notation JSON format by users who should not have access to such functionality. An attacker can download sensitive data related to...

Input validation

A vulnerability in the Operations, Administration, Maintenance and Provisioning OAMP OpsConsole Server for Cisco Unified Customer Voice Portal CVP could allow an authenticated, remote attacker to execute Insecure Direct Object Reference actions on specific pages within the OAMP application. The...

CVE-2019-16017 Cisco Unified Customer Voice Portal Insecure Direct Object Reference Vulnerability

A vulnerability in the Operations, Administration, Maintenance and Provisioning OAMP OpsConsole Server for Cisco Unified Customer Voice Portal CVP could allow an authenticated, remote attacker to execute Insecure Direct Object Reference actions on specific pages within the OAMP application. The...

CVE-2019-16017

CVE-2019-16017 affects Cisco Unified CVP OAMP OpsConsole Server. The issue arises from insufficient input validation on specific OAMP pages, allowing an authenticated attacker to perform Insecure Direct Object Reference actions. Impact in documented details includes information disclosure beyond ...

CVE-2019-16017 Cisco Unified Customer Voice Portal Insecure Direct Object Reference Vulnerability

A vulnerability in the Operations, Administration, Maintenance and Provisioning OAMP OpsConsole Server for Cisco Unified Customer Voice Portal CVP could allow an authenticated, remote attacker to execute Insecure Direct Object Reference actions on specific pages within the OAMP application. The...

CVE-2020-15958

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

Design/Logic Flaw

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

CVE-2020-15958

CVE-2020-15958 affects 1CRM System up to version 8.6.7. It exposes an insecure direct object reference to internally stored files, enabling an unauthenticated remote attacker to access sensitive information via a predictable URL. The advisory in PacketStorm (ARA-2020-005) cites CVSS v3 score 8.6 ...

CVE-2020-15958

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

1CRM 8.6.7 Insecure Direct Object Reference

Security Advisory ARA-2020-005: Insecure Direct Object Reference CVE-2020-15958 Affected Products and Environments Product: 1CRM =8.6.7, confirmed for CRBM System ENT-8.6.5, CRBM System ENT-8.6.6 and Startup+ Edition 8.5.15 Environments: All host environments Security Risk Severity: High CVSS v3:...

New Relic: IDOR - User is able to download charts/dashboards from cross accounts

@k3ne described an issue where a user on an account could access data concerning dashboards for another user on the same account. While this appeared to be a cross-account access issue, both users on the account have access to the same data by design...

Insecure Direct Object Reference vulnerability in the mysonicwall.com add-user API

An insecure direct object reference vulnerability has been identified in the users/add-user API endpoint of mysonicwall.com. This could allow a normal authenticated mysonicwall user to manipulate API parameter and gain access to user group of tenant of any other mysonicwall user account. CVE: N/A...

Online Shopping Alphaware 1.0 Insecure Direct Object Reference Vulnerability

Exploit for php platform in category web applications Exploit Title: Online Shopping Alphaware 1.0 - 'Summary' Insecure Direct Object Reference Authenticated Exploit Author: Edo Maland Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html Software Link:...