Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2023-49339 | Authorization Bypass Through User-Controlled Key vulnerability in Ellucian Banner Ellucian Banner 9.17 allows Insecure Direct Object Reference (IDOR) via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint. | 6.5 |
| 2024-02-12 | CVE-2024-0421 | Authorization Bypass Through User-Controlled Key vulnerability in Mappresspro Mappress Maps for Wordpress The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts. | 5.3 |
| 2024-02-05 | CVE-2024-0366 | Authorization Bypass Through User-Controlled Key vulnerability in Squirrly Starbox The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. | 4.3 |
| 2024-02-05 | CVE-2023-6983 | Authorization Bypass Through User-Controlled Key vulnerability in Josevega Display Custom Fields in the Frontend - Post and User Profile Fields The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. | 4.3 |
| 2024-01-29 | CVE-2023-7199 | Authorization Bypass Through User-Controlled Key vulnerability in Relevanssi The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request | 5.3 |
| 2024-01-29 | CVE-2024-23747 | Authorization Bypass Through User-Controlled Key vulnerability in Modernasistemas Modernanet Hospital Management System 2024 The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. | 7.5 |
| 2024-01-22 | CVE-2023-6384 | Authorization Bypass Through User-Controlled Key vulnerability in Wp-Eventmanager User Profile Avatar The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar | 4.3 |
| 2024-01-17 | CVE-2023-7031 | Authorization Bypass Through User-Controlled Key vulnerability in Avaya Aura Experience Portal Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. | 4.3 |
| 2024-01-17 | CVE-2023-36235 | Authorization Bypass Through User-Controlled Key vulnerability in Webkul Qloapps An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. | 6.5 |
| 2024-01-11 | CVE-2023-6223 | Authorization Bypass Through User-Controlled Key vulnerability in Thimpress Learnpress The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. | 4.3 |