Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31867 | 2025-04-01 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Job Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Job Manager: from n/a through 2.0.2. | |||||
| CVE-2025-31833 | 2025-04-01 | N/A | 4.9 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7. | |||||
| CVE-2024-28320 | 1 Mayurik | 1 Hospital Management System | 2025-04-01 | N/A | 7.6 HIGH |
| Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST request to /patient/edit-user.php. | |||||
| CVE-2025-1667 | 1 Igexsolutions | 1 Wpschoolpress | 2025-03-28 | N/A | 8.8 HIGH |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators. | |||||
| CVE-2024-4886 | 1 Buddyboss | 1 Buddyboss Platform | 2025-03-27 | N/A | 4.3 MEDIUM |
| The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request | |||||
| CVE-2025-30777 | 2025-03-27 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PalsCode Support Genix allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Support Genix: from n/a through 1.4.11. | |||||
| CVE-2024-55231 | 1 Phpgurukul | 1 Online Notes Sharing Management System | 2025-03-27 | N/A | 4.3 MEDIUM |
| An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks. This flaw exposes sensitive data and enables attackers to alter another user's information. | |||||
| CVE-2024-12062 | 1 Nicheaddons | 1 Charity Addon For Elementor | 2025-03-27 | N/A | 4.3 MEDIUM |
| The Charity Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.2 via the 'nacharity_elementor_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | |||||
| CVE-2024-33818 | 2025-03-27 | N/A | 7.5 HIGH | ||
| Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter. | |||||
| CVE-2024-13558 | 1 Neahplugins | 1 Np Quote Request For Woocommerce | 2025-03-27 | N/A | 7.5 HIGH |
| The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to read the content of quote requests. | |||||
| CVE-2022-34138 | 1 Biltema | 4 Baby Camera, Baby Camera Firmware, Ip Camera and 1 more | 2025-03-26 | N/A | 7.5 HIGH |
| Insecure direct object references (IDOR) in the web server of Biltema IP and Baby Camera Software v124 allows attackers to access sensitive information. | |||||
| CVE-2024-40395 | 1 Ptc | 1 Thingworx | 2025-03-25 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) in PTC ThingWorx v9.5.0 allows attackers to view sensitive information, including PII, regardless of access level. | |||||
| CVE-2024-25270 | 1 Mirapolis | 1 Lms | 2025-03-25 | N/A | 4.3 MEDIUM |
| An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulnerability by manipulating the ID parameter and increment STEP parameter, leading to the exposure of sensitive user data. | |||||
| CVE-2025-2125 | 1 Assaabloy | 1 Control Id Rhid | 2025-03-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2/report.svc/comprovante_marcacao/?companyId=1 of the component PDF Document Handler. The manipulation of the argument nsr leads to improper control of resource identifiers. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-13407 | 1 Omnipressteam | 1 Omnipress | 2025-03-21 | N/A | 4.3 MEDIUM |
| The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2024-31296 | 1 Reputeinfosystems | 1 Bookingpress | 2025-03-20 | N/A | 4.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.81. | |||||
| CVE-2024-47047 | 1 In2code | 1 Powermail | 2025-03-17 | N/A | 7.5 HIGH |
| An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1. | |||||
| CVE-2024-11285 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
| The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2024-11284 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
| The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |||||
| CVE-2024-27630 | 2025-03-13 | N/A | 7.5 HIGH | ||
| Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function. | |||||