Search
Total
352 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2394 | 1 Perforce | 1 Puppet Bolt | 2022-07-27 | N/A | 3.5 LOW |
| Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise. | |||||
| CVE-2021-40086 | 1 Primekey | 1 Ejbca | 2022-07-12 | 3.5 LOW | 2.2 LOW |
| An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret. | |||||
| CVE-2021-0983 | 1 Google | 1 Android | 2022-06-15 | 2.1 LOW | 3.3 LOW |
| In createAdminSupportIntent of DevicePolicyManagerService.java, there is a possible disclosure of information about installed device/profile owner package name due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-192245204 | |||||
| CVE-2017-11850 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2022-05-23 | 1.9 LOW | 2.5 LOW |
| Microsoft Graphics Component in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to log on to an affected system and run a specially crafted application due to improper handling of objects in memory, aka "Microsoft Graphics Component Information Disclosure Vulnerability". | |||||
| CVE-2017-11768 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2022-05-23 | 1.9 LOW | 2.5 LOW |
| Windows Media Player in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows remote attackers to test for the presence of files on disk via a specially crafted application. due to the way Windows Media Player discloses file information, aka "Windows Media Player Information Disclosure Vulnerability." | |||||
| CVE-2021-36192 | 1 Fortinet | 1 Fortimanager | 2022-05-03 | 2.1 LOW | 3.8 LOW |
| An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS. | |||||
| CVE-2022-0474 | 1 Otrs | 1 Custom Contact Fields | 2022-02-25 | 3.5 LOW | 3.5 LOW |
| Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions. | |||||
| CVE-2018-25022 | 1 Toktok | 1 Toxcore | 2022-02-08 | 4.3 MEDIUM | 3.1 LOW |
| The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node. | |||||
| CVE-2019-8730 | 1 Apple | 1 Mac Os X | 2022-01-01 | 2.1 LOW | 3.3 LOW |
| The contents of locked notes sometimes appeared in search results. This issue was addressed with improved data cleanup. This issue is fixed in macOS Catalina 10.15. A local user may be able to view a user’s locked notes. | |||||
| CVE-2021-39163 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2021-12-21 | 3.5 LOW | 3.1 LOW |
| Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`. | |||||
| CVE-2021-39164 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2021-12-16 | 3.5 LOW | 3.1 LOW |
| Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter. | |||||
| CVE-2016-8217 | 1 Dell | 1 Bsafe Crypto-j | 2021-12-16 | 4.3 MEDIUM | 3.7 LOW |
| EMC RSA BSAFE Crypto-J versions prior to 6.2.2 has a PKCS#12 Timing Attack Vulnerability. A possible timing attack could be carried out by modifying a PKCS#12 file that has an integrity MAC for which the password is not known. An attacker could then feed the modified PKCS#12 file to the toolkit and guess the current MAC one byte at a time. This is possible because Crypto-J uses a non-constant-time method to compare the stored MAC with the calculated MAC. This vulnerability is similar to the issue described in CVE-2015-2601. | |||||
| CVE-2020-4951 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-11-17 | 2.1 LOW | 3.3 LOW |
| IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information. | |||||
| CVE-2021-30875 | 1 Apple | 2 Ipad Os, Iphone Os | 2021-11-01 | 2.1 LOW | 3.3 LOW |
| A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15.1 and iPadOS 15.1. A local attacker may be able to view contacts from the lock screen. | |||||
| CVE-2021-39220 | 1 Nextcloud | 1 Mail | 2021-10-27 | 3.5 LOW | 3.5 LOW |
| Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.4 or 1.11.0. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-28566 | 1 Magento | 1 Magento | 2021-09-14 | 4.0 MEDIUM | 2.7 LOW |
| Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2020-1739 | 3 Debian, Fedoraproject, Redhat | 6 Debian Linux, Fedora, Ansible and 3 more | 2021-08-07 | 3.3 LOW | 3.9 LOW |
| A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. | |||||
| CVE-2021-21587 | 1 Dell | 1 Wyse Management Suite | 2021-07-31 | 2.1 LOW | 3.3 LOW |
| Dell Wyse Management Suite versions 3.2 and earlier contain a full path disclosure vulnerability. A local unauthenticated attacker could exploit this vulnerability in order to obtain the path of files and folders. | |||||
| CVE-2021-20478 | 1 Ibm | 1 Cloud Pak System | 2021-07-29 | 2.1 LOW | 3.3 LOW |
| IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console. IBM X-Force ID: 197497. | |||||
| CVE-2020-9773 | 1 Apple | 5 Ipados, Iphone Os, Mac Os X and 2 more | 2021-07-21 | 4.3 MEDIUM | 3.3 LOW |
| The issue was addressed with improved handling of icon caches. This issue is fixed in iOS 14.0 and iPadOS 14.0. A malicious application may be able to identify what other applications a user has installed. | |||||
| CVE-2019-14357 | 1 Mooltipass | 2 Mooltipass Mini, Mooltipass Mini Firmware | 2021-07-21 | 1.9 LOW | 2.4 LOW |
| ** DISPUTED ** On Mooltipass Mini devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that an attack is not "realistically implementable." | |||||
| CVE-2020-4248 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2021-07-21 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484. | |||||
| CVE-2020-9077 | 1 Huawei | 2 P30, P30 Firmware | 2021-07-21 | 4.3 MEDIUM | 3.3 LOW |
| HUAWEI P30 smart phones with versions earlier than 10.1.0.160(C00E160R2P11) have an information exposure vulnerability. The system does not properly authenticate the application that access a specified interface. Attackers can trick users into installing malicious software to exploit this vulnerability and obtain some information about the device. Successful exploit may cause information disclosure. | |||||
| CVE-2020-5893 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2021-07-21 | 4.3 MEDIUM | 3.7 LOW |
| In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes for captive portal detection. | |||||
| CVE-2020-9102 | 1 Huawei | 8 Cloudengine 12800, Cloudengine 12800 Firmware, Cloudengine 5800 and 5 more | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| There is a information leak vulnerability in some Huawei products, and it could allow a local attacker to get information. The vulnerability is due to the improper management of the username. An attacker with the ability to access the device and cause the username information leak. Affected product versions include: CloudEngine 12800 versions V200R002C50SPC800, V200R003C00SPC810, V200R005C00SPC800, V200R005C10SPC800, V200R019C00SPC800; CloudEngine 5800 versions V200R002C50SPC800, V200R003C00SPC810, V200R005C00SPC800, V200R005C10SPC800, V200R019C00SPC800; CloudEngine 6800 versions V200R002C50SPC800, V200R003C00SPC810, V200R005C00SPC800, V200R005C10SPC800, V200R005C20SPC800, V200R019C00SPC800; CloudEngine 7800 versions V200R002C50SPC800, V200R003C00SPC810, V200R005C00SPC800, V200R005C10SPC800, V200R019C00SPC800 | |||||
| CVE-2019-8775 | 1 Apple | 3 Ipados, Iphone Os, Watchos | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| The issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 13.1 and iPadOS 13.1. A person with physical access to an iOS device may be able to access contacts from the lock screen. | |||||
| CVE-2020-4650 | 1 Ibm | 1 Maximo Spatial Asset Management | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| IBM Maximo Spatial Asset Management 7.6.0.3, 7.6.0.4, 7.6.0.5, and 7.6.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 186023. | |||||
| CVE-2019-8732 | 1 Apple | 1 Iphone Os | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| The issue was addressed with improved data deletion. This issue is fixed in iOS 13. Deleted calls remained visible on the device. | |||||
| CVE-2019-9942 | 1 Symfony | 1 Twig | 2021-07-21 | 4.3 MEDIUM | 3.7 LOW |
| A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place. | |||||
| CVE-2019-4705 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2021-07-21 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Identity Manager Virtual Appliance 7.0.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 172015. | |||||
| CVE-2020-11606 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with Q(10.0) software. Information about application preview (in the Secure Folder) leaks on a locked device. The Samsung ID is SVE-2019-16463 (April 2020). | |||||
| CVE-2020-9780 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| The issue was resolved by clearing application previews when content is deleted. This issue is fixed in iOS 13.4 and iPadOS 13.4. A local user may be able to view deleted content in the app switcher. | |||||
| CVE-2019-8566 | 1 Apple | 1 Iphone Os | 2021-07-21 | 4.3 MEDIUM | 3.3 LOW |
| An API issue existed in the handling of microphone data. This issue was addressed with improved validation. This issue is fixed in iOS 12.2. A malicious application may be able to access the microphone without indication to the user. | |||||
| CVE-2020-12755 | 1 Kde | 1 Kio-extras | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password. | |||||
| CVE-2020-11602 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Google Assistant leaks clipboard contents on a locked device. The Samsung ID is SVE-2019-16558 (April 2020). | |||||
| CVE-2020-9848 | 1 Apple | 2 Ipad Os, Iphone Os | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 13.5 and iPadOS 13.5. A person with physical access to an iOS device may be able to view notification contents from the lockscreen. | |||||
| CVE-2020-3859 | 1 Apple | 2 Ipados, Iphone Os | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. A person with physical access to an iOS device may be able to access contacts from the lock screen. | |||||
| CVE-2019-8742 | 1 Apple | 1 Iphone Os | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| The issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 13. A person with physical access to an iOS device may be able to access contacts from the lock screen. | |||||
| CVE-2020-4591 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2021-07-21 | 1.9 LOW | 3.3 LOW |
| IBM Spectrum Protect Server 8.1.0.000 through 8.1.10.000 could disclose sensitive information in nondefault settings due to occasionally not encrypting the second chunk of an object in an encrypted container pool. IBM X-Force ID: 184746. | |||||
| CVE-2020-6317 | 1 Sap | 1 Adaptive Server Enterprise | 2021-07-21 | 2.7 LOW | 3.5 LOW |
| In certain situations, an attacker with regular user credentials and local access to an ASE cockpit installation can access sensitive information which appears in the installation log files. This information although sensitive is of limited utility and cannot be used to further access, modify or render unavailable any other information in the cockpit or system. This affects SAP Adaptive Server Enterprise, Versions - 15.7, 16.0. | |||||
| CVE-2019-20625 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| An issue was discovered on Samsung mobile devices with N(7.1) and O(8.x) (Exynos chipsets) software. The ion debugfs driver allows information disclosure. The Samsung ID is SVE-2018-13427 (February 2019). | |||||
| CVE-2019-14359 | 1 Real-sec | 2 Bc Vault, Bc Vault Firmware | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| ** DISPUTED ** On BC Vault devices, a side channel for the row-based SSD1309 OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover a data value. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that there is no security impact: the only potentially leaked information is the number of characters in the PIN. | |||||
| CVE-2020-4164 | 1 Ibm | 1 Security Information Queue | 2021-07-21 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could expose sensitive information from applicatino errors which could be used in further attacks against the system. IBM X-Force ID: 174400. | |||||
| CVE-2020-14548 | 1 Oracle | 1 Business Intelligence | 2021-07-21 | 2.1 LOW | 3.4 LOW |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). | |||||
| CVE-2020-14542 | 1 Oracle | 1 Solaris | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| Vulnerability in the Oracle Solaris product of Oracle Systems (component: libsuri). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2019-20598 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 2.4 LOW |
| An issue was discovered on Samsung mobile devices with O(8.x) software. Bixby leaks the keyboard's learned words, and the clipboard contents, via the lock screen. The Samsung IDs are SVE-2018-12896, SVE-2018-12897 (May 2019). | |||||
| CVE-2020-24366 | 1 Jetbrains | 1 Youtrack | 2021-07-21 | 2.1 LOW | 3.3 LOW |
| Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups. | |||||
| CVE-2020-6752 | 1 Openmicroscopy | 1 Omero | 2021-07-21 | 5.5 MEDIUM | 3.8 LOW |
| In OMERO before 5.6.1, group owners can access members' data in other groups. | |||||
| CVE-2019-9171 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It allows Information Exposure (issue 1 of 5). | |||||
| CVE-2020-11767 | 2 Envoyproxy, Istio | 2 Envoy, Istio | 2021-07-21 | 2.6 LOW | 3.1 LOW |
| Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains. | |||||