4470 matches found
CVE-2025-43803
Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...
CVE-2025-43803
Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...
CVE-2025-43803
The CVE-2025-43803 case affects Liferay Portal and Liferay DXP where the Contacts Center widget directly exposes the entryId parameter (_com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId) leading to an Insecure Direct Object Reference (IDOR). Affected versions include Liferay Portal ...
CVE-2025-43803
Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...
CVE-2025-8532 IDOR in Bimser's eBA Document and Workflow Management System
Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing. This issue affects eBA Document and Workflow Management System: from 6.7.164 before 6.7.166...
CVE-2025-10719
Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files...
CVE-2025-10719 WisdomGarden|Tronclass - Insecure Direct Object Reference
Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files...
CVE-2025-10719
CVE-2025-10719 concerns WisdomGarden’s Tronclass LMS, where an Insecure Direct Object Reference flaw lets remote attackers with regular privileges manipulate a parameter to access other users’ files. Root cause appears to be improper authorization on object references. Public summaries in NVD/Red...
CVE-2025-10719 WisdomGarden|Tronclass - Insecure Direct Object Reference
Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files...
Liferay Portal和Liferay DXP 安全漏洞
Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...
WisdomGarden Tronclass 安全漏洞
WisdomGarden Tronclass is an interactive instructional management platform from China WisdomGarden, Inc. A security vulnerability exists in WisdomGarden Tronclass that stems from an insecure direct object reference, which could lead to a remote attacker accessing other user files by modifying...
PT-2025-38612
Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.119 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.6 Liferay Portal versions 7.4 GA through update 92 Description An insecure direct object reference...
PT-2025-38523
Name of the Vulnerable Software and Affected Versions Tronclass affected versions not specified Description Tronclass Learning Management System suffers from an Insecure Direct Object Reference issue. Remote attackers with regular privileges can manipulate a parameter to gain unauthorized access ...
CVE-2025-10493
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other...
CVE-2025-10493 Chained Quiz <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other...
WordPress plugin Chained Quiz 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
PT-2025-38302
Name of the Vulnerable Software and Affected Versions Chained Quiz plugin for WordPress versions 1.3.4 and below Description The Chained Quiz plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions 1.3.4 and below. This flaw resides in the quiz submission and...
CVE-2025-8463 IDOR in SecHard Information Technologies' SecHard
Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing. This issue affects SecHard: before 3.6.2-20250805...
CVE-2025-43782
Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...
GHSA-WR8M-5H2P-4432 Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...