CVE-2025-67165

The CVE-2025-67165 entry concerns Pagekit CMS v1.0.18 with an Insecure Direct Object Reference (IDOR) in the User Role component that can lead to privilege escalation. The Root Cause described across sources is insufficient access control, enabling a crafted request (notably via the /api/user/rol...

CVE-2025-68071 WordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through = 5.3.2...

CVE-2025-66132 WordPress FAPI Member plugin <= 2.2.30 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through = 2.2.30...

WordPress Essential Real Estate plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

Insecure Direct Object Reference (IDOR)

getgrav/grav is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper access control in the Admin Panel, which allows a low-privilege attacker to access sensitive information of other users by manipulating direct object references...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

WordPress WP Recipe Maker plugin <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Recipe Maker versions = 10.2.2...

CVE-2025-64011

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference IDOR in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such...

Nextcloud Server 安全漏洞

Nextcloud Server is a Nextcloud server program from Nextcloud Open Source. A security vulnerability exists in Nextcloud Server version 30.0.0, which stems from the presence of an insecure direct object reference in the /core/preview endpoint that could lead to unauthorized access to sensitive dat...

PT-2025-50959

Name of the Vulnerable Software and Affected Versions Nextcloud Server version 30.0.0 Description Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference IDOR issue in the /core/preview endpoint. An authenticated user can access previews of arbitrary files belonging to other users by...

📄 EduplusCampus Student Portal 3.0.1 Insecure Direct Object Reference

EduplusCampus Student Portal version 3.0.1 suffers from an insecure direct object reference vulnerability. ============================================================================================================================================= | Title : EduplusCampus student portal v 3.0.1...

CVE-2025-13124 IDOR in Netiket''s ApplyLogic

Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025...

CVE-2025-13003

CVE-2025-13003 describes an Authorization Bypass Through User-Controlled Key in AxOnboard (Aksis Computer Services and Consulting Inc.), affecting version 3.2.0 up to 3.3.0. The root cause is not detailed beyond the user-controlled key enabling exploitation of trusted identifiers. Documented impa...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-61148

An Insecure Direct Object Reference IDOR vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'recno' parameter in the /student/get-receipt endpoint...

CVE-2023-53770

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to...

CVE-2020-36895

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

CVE-2025-41358

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...