Search
Total
119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51508 | 1 Meowapps | 1 Database Cleaner | 2024-01-12 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Database Cleaner: Clean, Optimize & Repair.This issue affects Database Cleaner: Clean, Optimize & Repair: from n/a through 0.9.8. | |||||
| CVE-2023-51490 | 1 Wpmudev | 1 Defender Security | 2024-01-12 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPMU DEV Defender Security – Malware Scanner, Login Security & Firewall.This issue affects Defender Security – Malware Scanner, Login Security & Firewall: from n/a through 4.1.0. | |||||
| CVE-2023-51408 | 1 Studiowombat | 1 Wp Optin Wheel | 2024-01-12 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StudioWombat WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce.This issue affects WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce: from n/a through 1.4.3. | |||||
| CVE-2023-52143 | 1 Noorsplugin | 1 Wp Stripe Checkout | 2024-01-11 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Naa986 WP Stripe Checkout.This issue affects WP Stripe Checkout: from n/a through 1.2.2.37. | |||||
| CVE-2023-6064 | 1 Payhere | 1 Payhere Payment Gateway | 2024-01-08 | N/A | 7.5 HIGH |
| The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur. | |||||
| CVE-2023-1904 | 1 Octopus | 1 Octopus Server | 2023-12-19 | N/A | 7.5 HIGH |
| In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | |||||
| CVE-2023-5499 | 1 Reachfargps | 2 Reachfar Gps, Reachfar Gps Firmware | 2023-12-19 | N/A | 7.5 HIGH |
| Information exposure vulnerability in Shenzhen Reachfar v28, the exploitation of which could allow a remote attacker to retrieve all the week's logs stored in the 'log2' directory. An attacker could retrieve sensitive information such as remembered wifi networks, sent messages, SOS device locations and device configurations. | |||||
| CVE-2023-47390 | 1 Juanfont | 1 Headscale | 2023-11-17 | N/A | 7.5 HIGH |
| Headscale through 0.22.3 writes bearer tokens to info-level logs. | |||||
| CVE-2023-0436 | 1 Mongodb | 1 Atlas Kubernetes Operator | 2023-11-14 | N/A | 7.5 HIGH |
| The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0. Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version. Required Configuration: DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 ) | |||||
| CVE-2023-4108 | 1 Mattermost | 1 Mattermost | 2023-08-15 | N/A | 7.5 HIGH |
| Mattermost fails to sanitize post metadata during audit logging resulting in permalinks contents being logged | |||||
| CVE-2022-34570 | 1 Wavlink | 2 Wl-wn579x3, Wl-wn579x3 Firmware | 2023-08-08 | N/A | 7.5 HIGH |
| WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains an information leak which allows attackers to obtain the key information via accessing the messages.txt page. | |||||
| CVE-2022-0652 | 1 Sophos | 1 Unified Threat Management | 2023-08-08 | 2.1 LOW | 7.8 HIGH |
| Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710. | |||||
| CVE-2022-27192 | 1 Asseco | 1 Dvs Avilys | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The Reporting module in Aseco Lietuva document management system DVS Avilys before 3.5.58 allows unauthorized file download. An unauthenticated attacker can impersonate an administrator by reading administrative files. | |||||
| CVE-2023-26026 | 1 Ibm | 1 Cloud Pak For Data | 2023-07-28 | N/A | 7.5 HIGH |
| Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896. | |||||
| CVE-2023-26023 | 1 Ibm | 1 Cloud Pak For Data | 2023-07-28 | N/A | 7.5 HIGH |
| Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896. | |||||
| CVE-2021-28131 | 1 Apache | 1 Impala | 2022-07-30 | 6.0 MEDIUM | 7.5 HIGH |
| Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. Mitigation: If an Impala deployment uses Apache Sentry, Apache Ranger or audit logging, then users should upgrade to a version of Impala with the fix for IMPALA-10600. The Impala 4.0 release includes this fix. This hides session secrets from the logs to eliminate the risk of any attack using this mechanism. In lieu of an upgrade, restricting access to logs that expose secrets will reduce the risk of an attack. Restricting access to the Impala deployment to trusted users will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs. | |||||
| CVE-2022-32556 | 1 Couchbase | 1 Couchbase Server | 2022-07-27 | N/A | 7.5 HIGH |
| An issue was discovered in Couchbase Server before 7.0.4. A private key is leaked to the log files with certain crashes. | |||||
| CVE-2022-23141 | 1 Zte | 2 Zxmp M721, Zxmp M721 Firmware | 2022-07-22 | N/A | 7.5 HIGH |
| ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information. | |||||
| CVE-2022-33737 | 1 Openvpn | 1 Openvpn Access Server | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password | |||||
| CVE-2021-35299 | 1 Zammad | 1 Zammad | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect Access Control in Zammad 1.0.x up to 4.0.0 allows attackers to obtain sensitive information via email connection configuration probing. | |||||
| CVE-2021-39291 | 1 Netmodule | 30 Nb1600, Nb1600 Firmware, Nb1601 and 27 more | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| Certain NetModule devices allow credentials via GET parameters to CLI-PHP. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800. | |||||
| CVE-2022-31098 | 1 Weave | 1 Weave Gitops | 2022-07-11 | 4.3 MEDIUM | 7.5 HIGH |
| Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive configurations from external log storage if enabled by the management cluster. This vulnerability is due to the client factory dumping cluster configurations and their service account tokens when the cluster manager tries to connect to an API server of a registered cluster, and a connection error occurs. An attacker could exploit this vulnerability by either accessing logs of a pod of Weave GitOps, or from external log storage and obtaining all cluster configurations of registered clusters. A successful exploit could allow the attacker to use those cluster configurations to manage the registered Kubernetes clusters. This vulnerability has been fixed by commit 567356f471353fb5c676c77f5abc2a04631d50ca. Users should upgrade to Weave GitOps core version v0.8.1-rc.6 or newer. There is no known workaround for this vulnerability. | |||||
| CVE-2021-45034 | 1 Siemens | 8 Cp-8000 Master Module With I\/o -25\/\+70, Cp-8000 Master Module With I\/o -25\/\+70 Firmware, Cp-8000 Master Module With I\/o -40\/\+70 and 5 more | 2022-07-01 | 4.3 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). The web server of the affected system allows access to logfiles and diagnostic data generated by a privileged user. An unauthenticated attacker could access the files by knowing the corresponding download links. | |||||
| CVE-2022-32254 | 1 Siemens | 1 Sinema Remote Connect Server | 2022-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). A customized HTTP POST request could force the application to write the status of a given user to a log file, exposing sensitive user information that could provide valuable guidance to an attacker. | |||||
| CVE-2022-32565 | 1 Couchbase | 1 Couchbase Server | 2022-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Couchbase Server before 7.0.4. The Backup Service log leaks unredacted usernames and document ids. | |||||
| CVE-2022-0725 | 2 Fedoraproject, Keepass | 3 Extra Packages For Enterprise Linux, Fedora, Keepass | 2022-06-14 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in KeePass. The vulnerability occurs due to logging the plain text passwords in the system log and leads to an Information Exposure vulnerability. This flaw allows an attacker to interact and read sensitive passwords and logs. | |||||
| CVE-2022-20806 | 1 Cisco | 1 Telepresence Video Communication Server | 2022-06-09 | 5.5 MEDIUM | 7.1 HIGH |
| Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-24875 | 1 Cve | 1 Cve-services | 2022-05-03 | 5.0 MEDIUM | 7.5 HIGH |
| The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate. | |||||
| CVE-2020-13223 | 1 Hashicorp | 1 Vault | 2022-02-21 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. | |||||
| CVE-2021-22024 | 1 Vmware | 3 Cloud Foundation, Vrealize Operations Manager, Vrealize Suite Lifecycle Manager | 2022-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure. | |||||
| CVE-2021-36289 | 1 Dell | 9 Emc Unity Operating Environment, Vnx5200, Vnx5400 and 6 more | 2022-01-31 | 4.6 MEDIUM | 7.8 HIGH |
| Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it. | |||||
| CVE-2021-34797 | 1 Apache | 1 Geode | 2022-01-12 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0. | |||||
| CVE-2019-16204 | 1 Broadcom | 1 Fabric Operating System | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d could expose external passwords, common secrets or authentication keys used between the switch and an external server. | |||||
| CVE-2019-16203 | 1 Broadcom | 1 Fabric Operating System | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| Brocade Fabric OS Versions before v8.2.2a and v8.2.1d could expose the credentials of the remote ESRS server when these credentials are given as a command line option when configuring the ESRS client. | |||||
| CVE-2019-3500 | 3 Aria2 Project, Debian, Fedoraproject | 3 Aria2, Debian Linux, Fedora | 2021-12-31 | 2.1 LOW | 7.8 HIGH |
| aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file. | |||||
| CVE-2021-37861 | 1 Mattermost | 1 Mattermost | 2021-12-13 | 5.0 MEDIUM | 7.5 HIGH |
| Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. | |||||
| CVE-2021-34800 | 1 Acronis | 1 Agent | 2021-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| Sensitive information could be logged. The following products are affected: Acronis Agent (Windows, Linux, macOS) before build 27147 | |||||
| CVE-2021-20129 | 1 Draytek | 1 Vigorconnect | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists in Draytek VigorConnect 1.6.0-B3, allowing an unauthenticated attacker to export system logs. | |||||
| CVE-2019-5532 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2021-21601 | 1 Dell | 2 Emc Data Protection Search, Emc Integrated Data Protection Appliance | 2021-08-18 | 2.1 LOW | 7.8 HIGH |
| Dell EMC Data Protection Search, 19.4 and prior, and IDPA, 2.6.1 and prior, contain an Information Exposure in Log File Vulnerability in CIS. A local low privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with the privileges of the compromised account. | |||||
| CVE-2019-11283 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Smb Volume | 2021-08-17 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume. | |||||
| CVE-2019-14846 | 3 Debian, Opensuse, Redhat | 6 Debian Linux, Backports Sle, Leap and 3 more | 2021-08-07 | 2.1 LOW | 7.8 HIGH |
| In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. | |||||
| CVE-2018-16856 | 2 Openstack, Redhat | 2 Octavia, Openstack | 2021-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure. | |||||
| CVE-2020-13881 | 2 Debian, Pam Tacplus Project | 2 Debian Linux, Pam Tacplus | 2021-08-04 | 4.3 MEDIUM | 7.5 HIGH |
| In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used. | |||||
| CVE-2020-23284 | 1 Mv | 1 Idce | 2021-07-31 | 5.0 MEDIUM | 7.5 HIGH |
| Information disclosure in aspx pages in MV's IDCE application v1.0 allows an attacker to copy and paste aspx pages in the end of the URL application that connect into the database which reveals internal and sensitive information without logging into the web application. | |||||
| CVE-2020-21933 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2021-07-30 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n where the admin password and private key could be found in the log tar package. | |||||
| CVE-2020-26106 | 1 Cpanel | 1 Cpanel | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558). | |||||
| CVE-2021-22516 | 1 Microfocus | 1 Secure Api Manager | 2021-06-15 | 5.0 MEDIUM | 7.5 HIGH |
| Insertion of Sensitive Information into Log File vulnerability in Micro Focus Secure API Manager (SAPIM) product, affecting version 2.0.0. The vulnerability could lead to sensitive information being in a log file. | |||||
| CVE-2020-15380 | 1 Broadcom | 1 Sannav | 2021-06-11 | 5.0 MEDIUM | 7.5 HIGH |
| Brocade SANnav before version 2.1.1 logs account credentials at the ‘trace’ logging level. | |||||
| CVE-2021-3528 | 1 Redhat | 1 Noobaa-operator | 2021-06-02 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration. | |||||