CVE-2023-53955

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

CVE-2023-53955 SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without...

CVE-2023-53955

CVE-2023-53955 affects SOUND4 IMPACT/FIRST/PULSE/Eco v2.x. The vulnerability is an insecure direct object reference (IDOR) that allows an attacker to bypass authorization and access privileged functions by manipulating user-supplied input. Affected components include Impact/Pulse/First (v2.x) and...

PT-2025-52696

Name of the Vulnerable Software and Affected Versions SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x Description The software contains an insecure direct object reference issue. This allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the issue by...

Sound4 IMPACT 安全漏洞

Sound4 IMPACT is a professional broadcast audio processor from Sound4 France. A security vulnerability exists in Sound4 IMPACT version v2.x. The vulnerability stems from an insecure direct object reference that could lead to an authorization bypass...

CVE-2025-7733

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-7733

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2025-7733

CVE-2025-7733 affects the WP JobHunt WordPress plugin (up to 7.7) via Insecure Direct Object Reference in the cs_update_application_status_callback, caused by missing validation on a user-controlled key. This allows authenticated users with Candidate-level access and above to send a site-generate...

CVE-2025-7733 WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'csupdateapplicationstatuscallback' due to missing validation on a user controlled key. This makes it possible for authenticated...

PT-2025-52550

Name of the Vulnerable Software and Affected Versions WP JobHunt plugin for WordPress versions prior to 7.8 Description The WP JobHunt plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This affects versions up to and including 7.7, stemming from a lack of validatio...

CVE-2025-14881

The CVE-2025-14881 issue is a broken access control in pretix (a ticketing system) where the UUID parameter in multiple API endpoints can be used to access sensitive files belonging to other users. Descriptions across Red Hat, ENISA EUVD, GHSA advisories, and the OSV/NVD entries consistently stat...

CVE-2025-14881 Insecure direct object reference

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2025-14882

CVE-2025-14882 is a vulnerability in pretix (Python ticketing system) where an API endpoint allowed cross-user file access by supplying the target file’s UUID. The issue is described as an Authorization Bypass Through User-Controlled Key, enabling retrieval of sensitive files belonging to other u...

CVE-2025-14882 Insecure direct object reference

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2025-14882 Insecure direct object reference

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

CVE-2023-53930

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...

CVE-2025-67875

ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions "Edit Records" and "Manage Properties and Classifications" can inject a persistent Cross-Site Scripting...

WordPress HUSKY – Products Filter Professional for WooCommerce plugin <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddsubscr' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.3...

CVE-2025-34436

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks...

CVE-2025-34438

AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...