Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities

Systems Affected Product : Confluence Company : Atlassian Versions 1 : 5.2 / 5.8.14 / 5.8.15 CVSS Score 1 : 6.1 / Medium classified by vendor Versions 2 : 5.9.1 / 5.8.14 / 5.8.15 CVSS Score 2 : 7.7 / High classified by vendor Product Description Confluence is team collaboration software, where yo...

Atlassian Confluence XSS / Insecure Direct Object Reference

Systems Affected Product : Confluence Company : Atlassian Versions 1 : 5.2 / 5.8.14 / 5.8.15 CVSS Score 1 : 6.1 / Medium classified by vendor Versions 2 : 5.9.1 / 5.8.14 / 5.8.15 CVSS Score 2 : 7.7 / High classified by vendor Product Description Confluence is team collaboration software, where yo...

sysPass 1.0.9 Insecure Direct Object Reference

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-046 Product: sysPass Manufacturer: http://cygnux.org/ Affected Versions: 1.0.9 and below Tested Versions: 1.0.9 Vulnerability Type: Insecure Direct Object References CWE-932 Exposure of Backup File to an Unauthorized Control...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

Insecure Direct Object Reference

The following URL is vulnerable to Insecure Direct Object Reference, allowing any authenticated user to read configuration files from the application such as the content of webapp directory in confluence. http:///spaces/viewdefaultdecorator.action?decoratorName=...

Multiple Vulnerabilities found in ZHONE

Vantage Point Security Advisory 2015-002 ======================================== Title: Multiple Vulnerabilities found in ZHONE Vendor: Zhone Vendor URL: http://www.zhone.com Device Model: ZHONE ZNID GPON 2426A 24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models Versions affected: S3.0.501...

ZHONE ZNID GPON < 3.1.241 Multiple Vulnerabilities

ZHONE ZNID GPON is vulnerable to multiple vulnerabilities. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Design/Logic Flaw

WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a 1 custom event, 2 message event, or 3 pop state event...

UBUNTU-CVE-2015-5827

WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a 1 custom event, 2 message event, or 3 pop state event...

Page2Flip 2.5 Insecure Direct Object Reference

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...

[SYSS-2015-029] Insecure Direct Object Reference &#40;CWE-932&#41; in Page2Flip Premium App 2.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-029 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Insecure Direct Objec...

Weebly.com Insecure Direct Object Reference

Title: Hijack any website from weebly.com by just adding an administrator to their website. Insecure Direct Object Reference Vulnerability ===== Weebly is a web-hosting service that allows the user to “drag-and-drop” while using their website builder. As of August 2012, Weebly hosts over 20 milli...

phpList 3.0.10 Insecure Direct Object Reference

Affected software: phplist Type of vulnerability: insecure object reference URL:phplist.com Discovered by: Provensec Website: http://www.provensec.com version: phpList ltd. - v3.0.10 Proof of concept insecure object refrenced on page deltetation vuln param:delete example:...

X (Formerly Twitter): Insecure Direct Object Reference - access to other user/group DM's

Hello, I found a way to access group DM's which i don't have access to, Conditions to be met: - Should have been in that DM group atleast once. Exploitation ways: =============== - let's say they're three twitter profiles, Naruto , Goku and Eren. - Naruto creates a DM group in between himself ,...

X (Formerly Twitter): Insecure direct object reference - have access to deleted DM's

Hello, The bug is straight and simple, I have access to deleted DM's. Once a DM is deleted a user/app will still be able to access the DM's using show DM endpoint Attack Scenario ==================== Their are two accounts Sam and Molly , Sam Dm's Molly something important and both quickly delete...

Vimeo: Insecure Direct Object References that allows to read any comment (even if it should be private)

Dear Vimeo Team, in combination with my previous bug i discovered that it was possible to read any comment on any video even if the video is private: I did a short POC on the Insecure Direct Object Reference. If an attacker wants to exploit this issue he has to know the ID of the comment, which...

Vimeo: CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.

Hello, This time I found a IDORInsecure Direct Object Reference vulnerability. It allows an attacker to get unauthorized access to Videos of Channel whose privacy is set to Only moderators and people I choose without being a member. In simple words, we can access videos of private channel without...

CVE-2014-8372

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...

CVE-2014-8372

AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 FP3 allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference...