CWE-639

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

An Insecure Direct Object Reference (IDOR) issue in fn2Web in ihb eG FlexNow before 2.04.09.016 allows remote authenticated attackers to obtain sensitive student information (final grades, study courses, degrees) by changing the student ID parameter in the HTTP POST request to the FrontControllerSS endpoint.

In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR – Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)

The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id’s might also be an option but I wouldn’t count on it, since it would take a long time to find a valid one).

An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.