CVE-2021-46416
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecur
CVSS
8.1
Alto
EPSS
4.2%
p90
KEV
—
Exploit Today
27
0-100
Publicado: 7 abr 2022 · Última mod.: 13 jul 2026 · CWE-639
4.2%EPSS · 30 días6.7%
2026-06-302026-07-16
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.
- packetstormsecurity.comhttp://packetstormsecurity.com/files/166670/SAM-SUNNY-TRIPOWER-5.0-Insecure-Direct-Object-Reference.html
- drive.google.comhttps://drive.google.com/drive/folders/1BPULhDC_g__seH_VnQlVtkrKdOLkXdzV?usp=sharing
- www.sma.dehttps://www.sma.de/en/products/solarinverters/sunny-tripower-30-40-50-60.html
- packetstormsecurity.comhttp://packetstormsecurity.com/files/166670/SAM-SUNNY-TRIPOWER-5.0-Insecure-Direct-Object-Reference.html
- drive.google.comhttps://drive.google.com/drive/folders/1BPULhDC_g__seH_VnQlVtkrKdOLkXdzV?usp=sharing
- www.sma.dehttps://www.sma.de/en/products/solarinverters/sunny-tripower-30-40-50-60.html
- packetstormsecurity.comhttp://packetstormsecurity.com/files/166670/SAM-SUNNY-TRIPOWER-5.0-Insecure-Direct-Object-Reference.html
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-552558.4 ALT42.8%
KEV—63Langflow Authorization Bypass Through User-Controlled Key Vulnerability8dCVE-2022-289867.5 ALT80.8%
——24LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.8dCVE-2020-234465.3 MED65.5%
——20Verint Workforce Optimization suite 15.1 (15.1.0.37634) has Unauthenticated Information Disclosure via API8dCVE-2021-33806.5 MED61.5%
——18Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.8dCVE-2022-362029.8 CRÍ51.5%
——15Doctor's Appointment System1.0 is vulnerable to Incorrect Access Control via edoc/patient/settings.php. The settings.php is affected by Broken Access Control (IDOR) via id= parameter.8dCVE-2020-266794.3 MED51.4%
——15vFairs 3.3 is affected by Insecure Permissions. Any user logged in to a vFairs virtual conference or event can modify any other users profile information or profile picture. After receiving any user's unique identification number and their own, an HTTP POST request can be made update their profile description or supply a new profile image. This can lead to potential cross-site scripting attacks on any user, or upload malicious PHP webshells as "profile pictures." The user IDs can be easily determined by other responses from the API for an event or chat room.8d