Insecure Direct Object Reference (IDOR)

github.com/zitadel/zitadel is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control in the Admin API, allowing authenticated users without specific IAM roles to modify sensitive settings...

IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

Summary ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP...

GHSA-F3GH-529W-V32X IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

Summary ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected, the most critical vulnerability lies in the ability to manipulate LDAP...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

CVE-2025-27507

Summary: CVE-2025-27507 concerns IDOR flaws in Zitadel’s Admin API that authenticated users (without specific IAM roles) can exploit to modify sensitive settings, with the most critical impact on LDAP configurations. The vulnerability enables manipulation of LDAP-related endpoints (notably /idps/...

CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference IDOR vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While...

PT-2025-9686 · Zitadel · Zitadel

Name of the Vulnerable Software and Affected Versions: Zitadel versions prior to 2.71.0 Zitadel versions prior to 2.70.1 Zitadel versions prior to 2.69.4 Zitadel versions prior to 2.68.4 Zitadel versions prior to 2.67.8 Zitadel versions prior to 2.66.11 Zitadel versions prior to 2.65.6 Zitadel...

CVE-2024-35557

idccms v1.35 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/vpsApideal.php?mudi=rev=close...

CVE-2020-11012

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has bee...

CVE-2024-3656

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise...

CVE-2024-3656 Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise...

CVE-2024-3656

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. Mitigation Mitigation...

Cross-site Request Forgery in diagnostics app - ownCloud

Improper handling of CSRF protection in the diagnostics app in combination with the SameSite-Cookie setting being set to None allows cross site invocation of an admin API...

PT-2024-30935 · Pi-Hole · Pi-Hole

Name of the Vulnerable Software and Affected Versions: Pi-hole versions prior to 6 Description: The issue allows unauthenticated calls to "admin/api.php?setTempUnit=" to change the temperature units of the web dashboard. The supplier reportedly does not consider this a security issue, but the...

GHSA-9355-27M8-H74V Owncast Path Traversal vulnerability

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...

14Finger Security Vulnerability

14Finger is a full-featured Web fingerprint recognition and sharing platform by b1ackc4t individual developers. A security vulnerability exists in 14Finger version 1.1, which stems from an arbitrary user deletion vulnerability in component /api/admin/user?id...

CVE-2024-36115 Stored Cross site scripting in Reposilite artifacts

Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies i...

PT-2024-22650 · Dell · Dell Scg

Name of the Vulnerable Software and Affected Versions: Dell SCG versions prior to 5.24.00.00 Description: The issue is related to an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API. This could allow a remote low privileged attacker to execute certain...

idccms 安全漏洞

Net Titanium Technology idcCMS Net Titanium IDC Cloud Management Agent System is a cloud management agent system from China's Net Titanium Technology Net Titanium Technology. A security vulnerability exists in idccms v1.35, which was discovered to contain a cross-site request forgery vulnerabilit...

PT-2024-5326 · Ibm · Ibm App Connect Enterprise

Name of the Vulnerable Software and Affected Versions: IBM App Connect Enterprise versions 11.0.0.1 through 11.0.0.25 IBM App Connect Enterprise versions 12.0.1.0 through 12.0.12.0 Description: The issue is related to an error in exception handling in the AdminAPI component of IBM App Connect...