Ontime
Monthly
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).