CVE-2025-48202

The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference...

CVE-2025-48207

The reintdownloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference...

CVE-2022-43326

An Insecure Direct Object Reference IDOR vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4. allows attackers to arbitrarily change user and Administrator account passwords...

CVE-2022-24187

The userid and deviceid on the Ourphoto App version 1.4.1 /device/ end-points both suffer from insecure direct object reference vulnerabilities. Other end-users userid and deviceid values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an...

CVE-2022-42129

An Insecure direct object reference IDOR vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the formInstanceRecordId parameter...

CVE-2022-4340

The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference IDOR vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointmentid query...

CVE-2022-1352

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that...

CVE-2022-30760

An Insecure Direct Object Reference IDOR issue in fn2Web in ihb eG FlexNow before 2.04.09.016 allows remote authenticated attackers to obtain sensitive student information final grades, study courses, degrees by changing the student ID parameter in the HTTP POST request to the FrontControllerSS...

CVE-2022-30852

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...

CVE-2022-26665

An Insecure Direct Object Reference issue exists in the Tyler Odyssey Portal platform before 17.1.20. This may allow an external party to access sensitive case records...

CVE-2022-25336

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference IDOR attacks against image files because the image path and filename can be correctly deduced...

CVE-2022-1881

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space...

CVE-2022-29287

Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights default is Administrator to export the user options of any user, even ones with higher privileges like Global Administrators than the current user. The exported XML...

CVE-2022-34621

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...

CVE-2022-27108

OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference IDOR via the end point symfony/web/index.php/time/createTimesheet. Any user can create a timesheet in another user's account...

CVE-2021-36389

In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4"...

CVE-2021-42642

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference IDOR vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer...

CVE-2021-42640

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference IDOR vulnerability that allows an unauthenticated attacker to reassign drivers for any printer...

CVE-2021-42641

PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference IDOR vulnerability that allows an unauthenticated attacker to disclose the username and email address of all users...

CVE-2021-24892

Insecure Direct Object Reference in edit function of Advanced Forms Free & Pro before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this...