Total
1511 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-31147 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | ||||
| CVE-2025-41069 | 1 T-innova | 1 Deporsite | 2025-11-14 | N/A |
| Insecure Direct Object Reference (IDOR) vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the 'idUsuario' parameter in ‘/ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos’, which could lead to the exposure or alteration os confidential data. | ||||
| CVE-2024-12767 | 1 Buddyboss | 1 Buddyboss Platform | 2025-11-13 | 3.5 Low |
| The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts | ||||
| CVE-2025-27938 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). | ||||
| CVE-2025-27939 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 7.5 High |
| An attacker can change registered email addresses of other users and take over arbitrary accounts. | ||||
| CVE-2025-30254 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. | ||||
| CVE-2025-30514 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | ||||
| CVE-2025-62241 | 1 Liferay | 2 Digital Experience Platform, Dxp | 2025-11-12 | 4.3 Medium |
| Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. | ||||
| CVE-2025-12854 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-11-12 | 3.7 Low |
| A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | ||||
| CVE-2025-64431 | 1 Zitadel | 1 Zitadel | 2025-11-12 | N/A |
| Zitadel is an open source identity management platform. Versions 4.0.0-rc.1 through 4.6.2 are vulnerable to secure Direct Object Reference (IDOR) attacks through its V2Beta API, allowing authenticated users with specific administrator roles within one organization to access and modify data belonging to other organizations. Note that this vulnerability is limited to organization-level data (name, domains, metadata). No other related data (such as users, projects, applications, etc.) is affected. This issue is fixed in version 4.6.3. | ||||
| CVE-2025-11748 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 4.3 Medium |
| The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode. | ||||
| CVE-2025-31950 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | ||||
| CVE-2025-31945 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can obtain other users' charger information. | ||||
| CVE-2025-31654 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | ||||
| CVE-2025-31360 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 6.5 Medium |
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | ||||
| CVE-2025-27568 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | ||||
| CVE-2025-24487 | 1 Growatt | 1 Cloud Portal | 2025-11-12 | 5.3 Medium |
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | ||||
| CVE-2023-38965 | 1 Oretnom23 | 1 Lost And Found Information System | 2025-11-11 | 9.8 Critical |
| Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI. | ||||
| CVE-2025-11690 | 1 Cfmoto | 1 Ride | 2025-11-10 | 8.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other users’ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix. | ||||
| CVE-2025-62242 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-11-07 | 4.3 Medium |
| Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter. | ||||