Search
Total
7597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27599 | 1 Sap | 1 Netweaver Process Integration | 2021-08-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP NetWeaver ABAP Server and ABAP Platform (Process Integration - Integration Builder Framework), versions - 7.10, 7.30, 7.31, 7.40, 7.50, allows an attacker to access information under certain conditions, which would otherwise be restricted. | |||||
| CVE-2021-21396 | 1 Wire | 1 Wire Server | 2021-08-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02. | |||||
| CVE-2021-20594 | 1 Mitsubishielectric | 16 R08psfcpu, R08psfcpu Firmware, R08sfcpu and 13 more | 2021-08-27 | 5.0 MEDIUM | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire legitimate user names registered in the module via brute-force attack on user names. | |||||
| CVE-2015-5173 | 2 Cloudfoundry, Pivotal Software | 3 Cf-release, Cloud Foundry Elastic Runtime, Cloud Foundry Uaa | 2021-08-25 | 6.8 MEDIUM | 8.8 HIGH |
| Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." | |||||
| CVE-2011-3696 | 1 60cyclecms Project | 1 60cyclecms | 2021-08-25 | 5.0 MEDIUM | N/A |
| 60cycleCMS 2.5.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by post.php and certain other files. | |||||
| CVE-2016-6220 | 1 Trendmicro | 1 Control Manager | 2021-08-25 | 5.0 MEDIUM | 7.5 HIGH |
| Information Disclosure vulnerability in the Dashboard and Error Pages in Trend Micro Control Manager SP3 6.0. | |||||
| CVE-2021-34749 | 1 Cisco | 3 Firepower Management Center, Firepower Management Center Virtual Appliance Firmware, Ironport Web Security Appliance | 2021-08-25 | 5.0 MEDIUM | 8.6 HIGH |
| A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks. | |||||
| CVE-2021-20772 | 1 Cybozu | 1 Garoon | 2021-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Information disclosure vulnerability in Bulletin of Cybozu Garoon 4.10.0 to 5.5.0 allows a remote authenticated attacker to obtain the title of Bulletin without the viewing privilege. | |||||
| CVE-2019-5534 | 1 Vmware | 1 Vcenter Server | 2021-08-24 | 4.0 MEDIUM | 7.7 HIGH |
| VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). | |||||
| CVE-2017-10793 | 2 Att, Commscope | 3 U-verse Firmware, Arris Nvg589, Arris Nvg599 | 2021-08-23 | 4.3 MEDIUM | 8.1 HIGH |
| The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, and unspecified other devices, when IP Passthrough mode is not used, configures an sbdc.ha WAN TCP service on port 61001 with the bdctest account and the bdctest password, which allows remote attackers to obtain sensitive information (such as the Wi-Fi password) by leveraging knowledge of a hardware identifier, related to the Bulk Data Collection (BDC) mechanism defined in Broadband Forum technical reports. | |||||
| CVE-2015-7731 | 1 Sap | 1 Mobile Platform | 2021-08-17 | 2.1 LOW | 5.5 MEDIUM |
| SAP Mobile Platform 3.0 SP05 ClientHub allows attackers to obtain the keystream and other sensitive information via the DataVault, aka SAP Security Note 2094830. | |||||
| CVE-2021-21584 | 1 Dell | 2 Openmanage Enterprise, Openmanage Enterprise-modular | 2021-08-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials. | |||||
| CVE-2021-21596 | 1 Dell | 2 Openmanage Enterprise, Openmanage Enterprise-modular | 2021-08-13 | 5.8 MEDIUM | 8.8 HIGH |
| Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges. | |||||
| CVE-2021-26998 | 1 Netapp | 1 Cloud Manager | 2021-08-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version. | |||||
| CVE-2021-26999 | 1 Netapp | 1 Cloud Manager | 2021-08-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| NetApp Cloud Manager versions prior to 3.9.9 log sensitive information when an Active Directory connection fails. The logged information is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version. | |||||
| CVE-2021-37554 | 1 Jetbrains | 1 Youtrack | 2021-08-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions. | |||||
| CVE-2020-13129 | 1 Heinekingmedia | 1 Stashcat | 2021-08-12 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in the stashcat app through 3.9.1 for macOS, Windows, Android, iOS, and possibly other platforms. The GET method is used with client_key and device_id data in the query string, which allows attackers to obtain sensitive information by reading web-server logs. | |||||
| CVE-2021-34707 | 1 Cisco | 1 Evolved Programmable Network Manager | 2021-08-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the REST API of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to access sensitive data on an affected system. This vulnerability exists because the application does not sufficiently protect sensitive data when responding to an API request. An attacker could exploit the vulnerability by sending a specific API request to the affected application. A successful exploit could allow the attacker to obtain sensitive information about the application. | |||||
| CVE-2013-3236 | 1 Linux | 1 Linux Kernel | 2021-08-09 | 4.9 MEDIUM | N/A |
| The vmci_transport_dgram_dequeue function in net/vmw_vsock/vmci_transport.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. | |||||
| CVE-2020-1739 | 3 Debian, Fedoraproject, Redhat | 6 Debian Linux, Fedora, Ansible and 3 more | 2021-08-07 | 3.3 LOW | 3.9 LOW |
| A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. | |||||
| CVE-2020-1740 | 1 Redhat | 4 Ansible, Ansible Tower, Cloudforms Management Engine and 1 more | 2021-08-07 | 1.9 LOW | 4.7 MEDIUM |
| A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. | |||||
| CVE-2019-10156 | 2 Debian, Redhat | 3 Debian Linux, Ansible, Openstack | 2021-08-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. | |||||
| CVE-2020-3347 | 1 Cisco | 1 Webex Meetings | 2021-08-06 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks. | |||||
| CVE-2020-10590 | 1 Replicated | 1 Replicated Classic | 2021-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console. | |||||
| CVE-2015-4547 | 1 Rsa | 1 Web Threat Detection | 2021-08-06 | 4.0 MEDIUM | N/A |
| EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB password in a configuration file, which allows remote authenticated users to obtain sensitive information by reading this file. | |||||
| CVE-2019-10247 | 3 Eclipse, Netapp, Oracle | 24 Jetty, Element, Oncommand System Manager and 21 more | 2021-08-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | |||||
| CVE-2014-9225 | 2 Broadcom, Symantec | 2 Symantec Critical System Protection, Data Center Security | 2021-08-04 | 4.0 MEDIUM | N/A |
| The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. | |||||
| CVE-2016-9590 | 2 Openstack, Redhat | 2 Puppet-swift, Openstack | 2021-08-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions. | |||||
| CVE-2018-1059 | 3 Canonical, Dpdk, Redhat | 9 Ubuntu Linux, Data Plane Development Kit, Ceph Storage and 6 more | 2021-08-04 | 2.9 LOW | 6.1 MEDIUM |
| The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable. | |||||
| CVE-2017-2622 | 1 Redhat | 1 Openstack | 2021-08-04 | 2.1 LOW | 5.5 MEDIUM |
| An accessibility flaw was found in the OpenStack Workflow (mistral) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. | |||||
| CVE-2018-14432 | 3 Debian, Openstack, Redhat | 3 Debian Linux, Keystone, Openstack | 2021-08-04 | 3.5 LOW | 5.3 MEDIUM |
| In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. | |||||
| CVE-2018-16876 | 4 Canonical, Debian, Redhat and 1 more | 10 Ubuntu Linux, Debian Linux, Ansible and 7 more | 2021-08-04 | 3.5 LOW | 5.3 MEDIUM |
| ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. | |||||
| CVE-2016-4474 | 1 Redhat | 1 Openstack | 2021-08-04 | 3.3 LOW | 8.8 HIGH |
| The image build process for the overcloud images in Red Hat OpenStack Platform 8.0 (Liberty) director and Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (aka overcloud-full) use a default root password of ROOTPW, which allows attackers to gain access via unspecified vectors. | |||||
| CVE-2016-4985 | 2 Canonical, Redhat | 2 Openstack Ironic, Openstack | 2021-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource. | |||||
| CVE-2017-15139 | 2 Openstack, Redhat | 2 Cinder, Openstack | 2021-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants. | |||||
| CVE-2021-25809 | 1 Ucms Project | 1 Ucms | 2021-08-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| UCMS 1.5.0 was discovered to contain a physical path leakage via an error message returned by the adminchannelscache() function in top.php. | |||||
| CVE-2020-12729 | 1 Magicsmotion | 2 Flamingo 2, Flamingo 2 Firmware | 2021-08-03 | 2.1 LOW | 4.6 MEDIUM |
| MagicMotion Flamingo 2 has a lack of access control for reading from device descriptors. | |||||
| CVE-2021-21587 | 1 Dell | 1 Wyse Management Suite | 2021-07-31 | 2.1 LOW | 3.3 LOW |
| Dell Wyse Management Suite versions 3.2 and earlier contain a full path disclosure vulnerability. A local unauthenticated attacker could exploit this vulnerability in order to obtain the path of files and folders. | |||||
| CVE-2021-20478 | 1 Ibm | 1 Cloud Pak System | 2021-07-29 | 2.1 LOW | 3.3 LOW |
| IBM Cloud Pak System 2.3 could allow a local user in some situations to view the artifacts of another user in self service console. IBM X-Force ID: 197497. | |||||
| CVE-2021-22728 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could cause disclosure of encrypted credentials when consulting the maintenance report. | |||||
| CVE-2021-22721 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-200: Information Exposure vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could allow an attacker to get limited knowledge of javascript code when crafted malicious parameters are submitted to the charging station web server. | |||||
| CVE-2021-22770 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2021-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| A CWE-200: Information Exposure vulnerability exists in Easergy T300 with firmware V2.7.1 and older that exposes sensitive information to an actor not explicitly authorized to have access to that information. | |||||
| CVE-2009-4073 | 1 Microsoft | 1 Internet Explorer | 2021-07-23 | 5.0 MEDIUM | N/A |
| The printing functionality in Microsoft Internet Explorer 8 allows remote attackers to discover a local pathname, and possibly a local username, by reading the dc:title element of a PDF document that was generated from a local web page. | |||||
| CVE-2012-2420 | 2 Intuit, Microsoft | 2 Quickbooks, Internet Explorer | 2021-07-23 | 1.8 LOW | N/A |
| The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to obtain sensitive information via a URI with a % (percent) character as its (1) last or (2) second-to-last character, in situations where a certain "post-URL data" buffer contains a 0x0000 character but a buffer overflow does not occur. | |||||
| CVE-2002-2435 | 1 Microsoft | 2 Ie, Internet Explorer | 2021-07-23 | 4.3 MEDIUM | N/A |
| The Cascading Style Sheets (CSS) implementation in Microsoft Internet Explorer 8.0 and earlier does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. | |||||
| CVE-2010-1852 | 1 Microsoft | 1 Internet Explorer | 2021-07-23 | 4.3 MEDIUM | N/A |
| Microsoft Internet Explorer, when the Invisible Hand extension is enabled, uses cookies during background HTTP requests in a possibly unexpected manner, which might allow remote web servers to identify specific persons and their product searches via HTTP request logging, related to a "cross-site data leakage" issue. | |||||
| CVE-2010-0652 | 1 Microsoft | 1 Internet Explorer | 2021-07-23 | 4.3 MEDIUM | N/A |
| Microsoft Internet Explorer permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. | |||||
| CVE-2011-3404 | 1 Microsoft | 4 Internet Explorer, Windows 7, Windows Vista and 1 more | 2021-07-23 | 4.3 MEDIUM | N/A |
| Microsoft Internet Explorer 6 through 9 does not properly use the Content-Disposition HTTP header to control rendering of the HTTP response body, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Content-Disposition Information Disclosure Vulnerability." | |||||
| CVE-2011-1992 | 1 Microsoft | 6 Internet Explorer, Windows 7, Windows Server 2003 and 3 more | 2021-07-23 | 4.3 MEDIUM | N/A |
| The XSS Filter in Microsoft Internet Explorer 8 allows remote attackers to read content from a different (1) domain or (2) zone via a "trial and error" attack, aka "XSS Filter Information Disclosure Vulnerability." | |||||
| CVE-2012-0012 | 1 Microsoft | 4 Internet Explorer, Windows 7, Windows Server 2008 and 1 more | 2021-07-23 | 4.3 MEDIUM | N/A |
| Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability." | |||||