Total
1083 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30254 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. | ||||
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | ||||
| CVE-2025-12087 | 2 Acowebs, Wordpress | 2 Wishlist And Save For Later For Woocommerce, Wordpress | 2025-11-12 | 4.3 Medium |
| The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists. | ||||
| CVE-2025-12833 | 2 Paoltaia, Wordpress | 2 Geodirectory, Wordpress | 2025-11-12 | 4.3 Medium |
| The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'post_attachment_upload' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to attach arbitrary image files to arbitrary places. | ||||
| CVE-2025-62241 | 1 Liferay | 2 Digital Experience Platform, Dxp | 2025-11-12 | 4.3 Medium |
| Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | ||||
| CVE-2025-64431 | 1 Zitadel | 1 Zitadel | 2025-11-12 | N/A |
| Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3. | ||||
| CVE-2025-12854 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-11-12 | 3.7 Low |
| A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | ||||
| CVE-2025-12353 | 2 Getwpfunnels, Wordpress | 2 Wpfunnels, Wordpress | 2025-11-12 | 5.3 Medium |
| The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled. | ||||
| CVE-2025-11748 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 4.3 Medium |
| The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode. | ||||
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | ||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain other users' charger information. | ||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | ||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 6.5 Medium |
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | ||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | ||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | ||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-11-11 | 9.8 Critical |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | ||||
| CVE-2025-11690 | 1 Cfmoto | 1 Ride | 2025-11-10 | 8.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix. | ||||
| CVE-2025-62242 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-11-07 | 4.3 Medium |
| Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter. | ||||
| CVE-2025-63248 | 1 Diaowen | 1 Dwsurvey | 2025-11-06 | 7.5 High |
| DWSurvey 6.14.0 is vulnerable to Incorrect Access Control. When deleting a questionnaire, replacing the questionnaire ID with the ID of another questionnaire can enable the deletion of other questionnaires. | ||||
| CVE-2025-7938 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-11-06 | 4.3 Medium |
| A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||