| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability has been found in Campcodes Online Laundry Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file manage_user.php of the component HTTP Request Parameter Handler. The manipulation of the argument id leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-263938 is the identifier assigned to this vulnerability. |
| A vulnerability was found in Campcodes Online Laundry Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file admin_class.php. The manipulation of the argument type with the input 1 leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263940. |
| A vulnerability classified as critical was found in SourceCodester Employee Task Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-task.php. The manipulation of the argument task_id leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257077 was assigned to this vulnerability. |
| A vulnerability, which was classified as critical, has been found in SourceCodester Employee Task Management System 1.0. Affected by this issue is some unknown functionality of the file /task-details.php. The manipulation of the argument task_id leads to authorization bypass. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257078 is the identifier assigned to this vulnerability. |
| A vulnerability, which was classified as critical, was found in SourceCodester Employee Task Management System 1.0. This affects an unknown part of the file /update-admin.php. The manipulation of the argument admin_id leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257079. |
| A vulnerability has been found in SourceCodester Employee Task Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /update-employee.php. The manipulation of the argument admin_id leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257080. |
| Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information. |
| WisdomGarden Tronclass has improper access control when uploading file. An authenticated remote attacker with general user privilege can exploit this vulnerability to access files belonging to other users by modifying the file ID within URL. |
| HGiga MailSherlock has vulnerability of insufficient access control. An unauthenticated remote user can exploit this vulnerability to access partial content of another user’s mail by changing user ID and mail ID within URL. |
| An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request. |
| Authorization Bypass Through User-Controlled Key vulnerability in NetIQ (OpenText) Client Login Extension on Windows allows Privilege Escalation, Code Injection.This issue
only
affects NetIQ Client Login Extension: 4.6.
|
| Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. |
| An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. |
| A logic issue was addressed with improved checks. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6, iOS 16.5 and iPadOS 16.5. An app may bypass Gatekeeper checks. |
| The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. |
| Authorization Bypass Through User-Controlled Key in GitHub repository cloudexplorer-dev/cloudexplorer-lite prior to v1.1.0. |
| Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to victim's epic in an unrelated group. |
| A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.
Full versions and TV models affected:
webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA
webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB
webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
|
| An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file. |