ReportizFlow
Filtered by vendor
Subscriptions
Total
722 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-23722 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 8.8 High |
| An issue was discovered in FUEL CMS 1.4.7. There is a escalation of privilege vulnerability to obtain super admin privilege via the "id" and "fuel_id" parameters. | ||||
| CVE-2020-23449 | 1 Newbee-mall Project | 1 Newbee-mall | 2024-11-21 | 7.5 High |
| newbee-mall all versions are affected by incorrect access control to remotely gain privileges through NewBeeMallIndexConfigServiceImpl.java. Unauthorized changes can be made to any user information through the userID. | ||||
| CVE-2020-23446 | 1 Verint | 1 Workforce Optimization | 2024-11-21 | 5.3 Medium |
| Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API | ||||
| CVE-2020-20183 | 1 Zyxel | 2 P1302-t10 V3, P1302-t10 V3 Firmware | 2024-11-21 | 7.5 High |
| Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages. | ||||
| CVE-2020-19890 | 1 Dbhcms Project | 1 Dbhcms | 2024-11-21 | 4.9 Medium |
| DBHcms v1.2.0 has an Arbitrary file read vulnerability in dbhcms\mod\mod.editor.php $_GET['file'] is filename,and as there is no filter function for security, you can read any file's content. | ||||
| CVE-2020-16240 | 1 Ge | 1 Asset Performance Management Classic | 2024-11-21 | 5.3 Medium |
| GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference (IDOR) vulnerability allows user account data to be downloaded in JavaScript object notation (JSON) format by users who should not have access to such functionality. An attacker can download sensitive data related to user accounts without having the proper privileges. | ||||
| CVE-2020-16194 | 1 Store-opart | 1 Quote | 2024-11-21 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. | ||||
| CVE-2020-15958 | 1 1crm | 1 1crm | 2024-11-21 | 8.6 High |
| An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL. | ||||
| CVE-2020-14174 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-11-21 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1. | ||||
| CVE-2020-13998 | 1 Citrix | 1 Xenapp | 2024-11-21 | 5.3 Medium |
| Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
| CVE-2020-13923 | 1 Apache | 1 Ofbiz | 2024-11-21 | 5.3 Medium |
| IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04 | ||||
| CVE-2020-13700 | 1 Acf To Rest Api Project | 1 Acf To Rest Api | 2024-11-21 | 7.5 High |
| An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. | ||||
| CVE-2020-13462 | 1 Tufin | 1 Securetrack | 2024-11-21 | 5.7 Medium |
| Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA. | ||||
| CVE-2020-13357 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project. | ||||
| CVE-2020-12643 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 4.3 Medium |
| OX App Suite 7.10.3 and earlier has Incorrect Access Control via an /api/subscriptions request for a snippet containing an email address. | ||||
| CVE-2020-11659 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-11-21 | 4.3 Medium |
| CA API Developer Portal 4.3.1 and earlier contains an access control flaw that allows privileged users to perform a restricted user administration action. | ||||
| CVE-2020-11658 | 1 Broadcom | 1 Ca Api Developer Portal | 2024-11-21 | 9.8 Critical |
| CA API Developer Portal 4.3.1 and earlier handles shared secret keys in an insecure manner, which allows attackers to bypass authorization. | ||||
| CVE-2020-11589 | 1 Cipplanner | 1 Cipace | 2024-11-21 | 7.5 High |
| An Insecure Direct Object Reference issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make a GET request to a certain URL and obtain information that should be provided to authenticated users only. | ||||
| CVE-2020-11585 | 1 Dnnsoftware | 1 Dotnetnuke | 2024-11-21 | 4.3 Medium |
| There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter. | ||||
| CVE-2020-11009 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | 6.5 Medium |
| In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher. This vulnerability is patched in version 3.2.6 | ||||