4460 matches found
Account Takeover (ATO)
Pageflow is vulnerable to account takeover ATO. An insecure direct object reference is possible due to improper restriction to the user membership base object. An attacker with the manager role can modify any users memberships, resulting in account takeover...
CVE-2022-38789
An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference...
Design/Logic Flaw
An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference...
CVE-2022-38789
CVE-2022-38789 affects Airties Smart Wi‑Fi devices released before 2020-08-04. The issue stems from an Insecure Direct Object Reference that lets an attacker change the main/guest SSID and PSK to arbitrary values and map the LAN. Multiple sources (NVD/Red Hat entry, CN/PRION/PTSecurity summaries)...
CVE-2022-38789
An issue was discovered in Airties Smart Wi-Fi before 2020-08-04. It allows attackers to change the main/guest SSID and the PSK to arbitrary values, and map the LAN, because of Insecure Direct Object Reference...
Pageflow vulnerable to insecure direct object reference in membership update endpoint
Impact Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the manager role to including their own. While the Entity dropdown select field is greyed out in the UI, an attacker can use tools which allow sending...
GHSA-QCQV-38JG-2R43 Pageflow vulnerable to insecure direct object reference in membership update endpoint
Impact Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the manager role to including their own. While the Entity dropdown select field is greyed out in the UI, an attacker can use tools which allow sending...
Airties Smart Wi-Fi 安全漏洞
Airties Smart Wi-Fi is a series of Wi-Fi extenders from Airties Turkey. A security vulnerability exists in Airties Smart Wi-Fi versions prior to 2020-08-04, which stems from an insecure direct object reference...
PT-2022-24568 · Airties · Airties Smart Wi-Fi
Name of the Vulnerable Software and Affected Versions: Airties Smart Wi-Fi versions prior to 2020-08-04 Description: The issue allows attackers to change the main/guest SSID and the PSK to arbitrary values and map the LAN due to Insecure Direct Object Reference. Recommendations: For versions prio...
CVE-2022-32277
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific findin...
Squiz Matrix 安全漏洞
Squiz Matrix is a web CMS from Squiz, Inc. that helps digital marketers create and publish content while building websites without deep technical skills. A security vulnerability exists in Squiz Matrix CMS version 6.20, which stems from an insecure direct object reference vulnerability when it...
CVE-2022-32277
Affected product: Squiz Matrix CMS 6.20. Vulnerability: Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user’s contact details. Impact (as stated): Confidentiality: None; Integrity: Low; Availability: None. Root cause / ...
CVE-2022-32277
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details. NOTE: this is disputed by both the vendor and the original discoverer because it is a site-specific findin...
Rockstar Games: Modifying Sprunk vs eCola crew data
In this report, the researcher demonstrated an Insecure Direct Object Reference vulnerability that was exploitable in certain Rockstar Official Crews on the Social Club website. Rockstar Official Crews, unlike user-made Crews, use a flat hierarchy where all members are set to the same effective...
CVE-2022-34621
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...
CVE-2022-34621
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...
CVE-2022-34621
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...
CVE-2022-34621
Mealie 1.0.0beta3 is affected by an Insecure Direct Object Reference (IDOR) vulnerability triggered via modification of the user_id parameter, enabling attackers to modify user passwords and other attributes. The root cause is an IDOR flaw that exposes unauthorized access to user data. Public dis...
PT-2022-22250 · Mealie · Mealie
Name of the Vulnerable Software and Affected Versions: Mealie version 1.0.0beta3 Description: The issue allows attackers to modify user passwords and other attributes via modification of the user id parameter. This is due to an Insecure Direct Object Reference IDOR vulnerability. Recommendations:...
PT-2022-6404 · Adobe · Commerce
Name of the Vulnerable Software and Affected Versions: Adobe Commerce versions 2.4.3-p2 and earlier Adobe Commerce versions 2.3.7-p3 and earlier Adobe Commerce versions 2.4.4 and earlier Description: The issue is related to insufficient input validation, allowing a remote attacker to potentially...