CVE-2021-39889

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch...

CVE-2021-35337

Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference IDOR. Any attacker will be able to see the invoices of different users by changing the id parameter...

CVE-2021-38362

In RSA Archer 6.x through 6.9 SP3 6.9.3.0, an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference IDOR issue and retrieve sensitive data...

CVE-2021-36388

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4"...

CVE-2021-26024

The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account...

CVE-2021-37777

Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference IDOR. Thumbnails uploaded by one site owner are visible by another site owner just by knowing the other site name and fuzzing for picture names. This leads to sensitive information disclosure...

CVE-2020-7948

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference...

CVE-2020-8503

Biscom Secure File Transfer SFT 5.0.1050 through 5.1.1067 and 6.0.1000 through 6.0.1003 allows Insecure Direct Object Reference IDOR by an authenticated sender because of an error in a file-upload feature. This is fixed in 5.1.1068 and 6.0.1004...

CVE-2020-9384

An Insecure Direct Object Reference IDOR vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the applicati...

CVE-2020-8235

Missing access control in Nextcloud Deck 1.0.4 caused an insecure direct object reference allowing an attacker to view all attachments...

CVE-2020-16240

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference IDOR vulnerability allows user account data to be downloaded in JavaScript object notation JSON format by users who should not have access to such functionality. An attacker can download sensitive data related to...

CVE-2020-16194

An Insecure Direct Object Reference IDOR vulnerability was found in Prestashop Opart devis 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the deliveryaddress and invoiceaddress fields...

CVE-2020-13815

An issue was discovered in Foxit Reader and PhantomPDF before 9.7.1. It allows stack consumption via a loop of an indirect object reference...

CVE-2020-11589

An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only...

CVE-2020-35577

In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference IDOR allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier aka CommonDownload identification number...

CVE-2020-27742

An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msgconfirmmove template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" threa...

CVE-2020-20183

Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00ABBX.3 and earlier allows attackers to gain privileges and access certain admin pages...

CVE-2020-13462

Insecure Direct Object Reference IDOR exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA...

CVE-2018-17455

An issue was discovered in GitLab Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. Attackers could obtain sensitive information about group names, avatars, LDAP settings, and descriptions via an insecure direct object reference to the "merge request approvals"...

CVE-2019-14730

In CentOS-WebPanel.com aka CWP CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete a domain from a victim's account via an attacker account...