Vulnerabilities > Authorization Bypass Through User-Controlled Key
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-28 | CVE-2019-15581 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules. | 5.3 |
| 2020-01-14 | CVE-2020-5194 | Authorization Bypass Through User-Controlled Key vulnerability in Cerberusftp FTP Server 8.0 The zip API endpoint in Cerberus FTP Server 8 allows an authenticated attacker without zip permission to use the zip functionality via an unrestricted API endpoint. | 5.4 |
| 2020-01-13 | CVE-2019-20209 | Authorization Bypass Through User-Controlled Key vulnerability in Cththemes Citybook, Easybook and Townhub The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing. | 7.5 |
| 2020-01-13 | CVE-2020-6859 | Authorization Bypass Through User-Controlled Key vulnerability in Ultimatemember Ultimate Member Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. | 5.3 |
| 2020-01-03 | CVE-2019-19259 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an Insecure Direct Object Reference (IDOR). | 4.3 |
| 2019-12-20 | CVE-2019-15913 | Authorization Bypass Through User-Controlled Key vulnerability in MI products An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. | 9.8 |
| 2019-12-18 | CVE-2019-5469 | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets. | 6.5 |
| 2019-12-06 | CVE-2019-19616 | Authorization Bypass Through User-Controlled Key vulnerability in Xtivia web Time and Expense 2016 An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment function. | 4.3 |
| 2019-11-21 | CVE-2014-8356 | Authorization Bypass Through User-Controlled Key vulnerability in Dasanzhone Znid 2426A Firmware The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference. | 8.8 |
| 2019-11-21 | CVE-2019-16546 | Authorization Bypass Through User-Controlled Key vulnerability in Jenkins Google Compute Engine Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. | 5.9 |