Search
Total
7597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-3502 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client. | |||||
| CVE-2017-9788 | 6 Apache, Apple, Debian and 3 more | 16 Http Server, Mac Os X, Debian Linux and 13 more | 2021-06-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. | |||||
| CVE-2010-2068 | 4 Apache, Ibm, Microsoft and 1 more | 4 Http Server, Os2, Windows and 1 more | 2021-06-06 | 5.0 MEDIUM | N/A |
| mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. | |||||
| CVE-2010-0434 | 1 Apache | 1 Http Server | 2021-06-06 | 4.3 MEDIUM | N/A |
| The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. | |||||
| CVE-2021-33558 | 1 Boa | 1 Boa | 2021-06-04 | 5.0 MEDIUM | 7.5 HIGH |
| Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. | |||||
| CVE-2021-20585 | 1 Ibm | 1 Security Verify Access | 2021-06-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Verify Access 20.07 could disclose sensitive information in HTTP server headers that could be used in further attacks against the system. IBM X-Force ID: 199398. | |||||
| CVE-2021-20250 | 1 Redhat | 2 Jboss-ejb-client, Jboss Enterprise Application Platform Expansion Pack | 2021-06-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deployed on. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-22739 | 1 Schneider-electric | 4 Homelynk, Homelynk Firmware, Spacelynk and 1 more | 2021-06-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause a device to be compromised when it is first configured. | |||||
| CVE-2021-22740 | 1 Schneider-electric | 4 Homelynk, Homelynk Firmware, Spacelynk and 1 more | 2021-06-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Information Exposure vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could cause information to be exposed when an unauthorized file is uploaded. | |||||
| CVE-2020-25578 | 1 Freebsd | 1 Freebsd | 2021-06-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. | |||||
| CVE-2021-20331 | 1 Mongodb | 1 C\# Driver | 2021-06-03 | 3.5 LOW | 4.9 MEDIUM |
| Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1. | |||||
| CVE-2021-30163 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2021-06-03 | 5.0 MEDIUM | 7.5 HIGH |
| Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. | |||||
| CVE-2021-20486 | 3 Ibm, Linux, Redhat | 3 Cloud Pak For Data, Linux Kernel, Enterprise Linux | 2021-06-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Cloud Pak for Data 3.0 could allow an authenticated user to obtain sensitive information when installed with additional plugins. IBM X-Force ID: 197668. | |||||
| CVE-2014-8722 | 1 Get-simple | 1 Getsimple Cms | 2021-06-02 | 5.0 MEDIUM | 7.5 HIGH |
| GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. | |||||
| CVE-2021-20239 | 3 Fedoraproject, Linux, Redhat | 3 Fedora, Linux Kernel, Enterprise Linux | 2021-06-02 | 2.1 LOW | 3.3 LOW |
| A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. | |||||
| CVE-2021-21424 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2021-06-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. | |||||
| CVE-2009-0842 | 2 Osgeo, Umn | 2 Mapserver, Mapserver | 2021-06-01 | 4.3 MEDIUM | N/A |
| mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink. | |||||
| CVE-2021-27823 | 1 Mediateknet | 1 Netwave System | 2021-05-28 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability was discovered in /index.class.php (via port 8181) on NetWave System 1.0 which allows unauthenticated attackers to exfiltrate sensitive information from the system. | |||||
| CVE-2021-21733 | 1 Zte | 1 Zxcdn | 2021-05-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| The management system of ZXCDN is impacted by the information leak vulnerability. Attackers can make further analysis according to the information returned by the program, and then obtain some sensitive information. This affects ZXCDN V7.01 all versions up to IAMV7.01.01.02. | |||||
| CVE-2021-32624 | 1 Keystonejs | 1 Keystone-5 | 2021-05-28 | 3.5 LOW | 5.3 MEDIUM |
| Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. No patches exist at this time. There are no workarounds at this time | |||||
| CVE-2020-23768 | 1 Phpyun | 1 Phpyun | 2021-05-27 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability was discovered in alipay_function.php in the log file of Alibaba payment interface on PHPPYUN prior to version 5.0.1. If exploited, this vulnerability will allow attackers to obtain users' personally identifiable information including e-mail address and telephone numbers. | |||||
| CVE-2021-29681 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2021-05-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow an attacker to obtain sensitive information by injecting parameters into an HTML query. This information could be used in further attacks against the system. IBM X-Force ID: 199918. | |||||
| CVE-2021-27434 | 2 Microsoft, Unified-automation | 2 .net, .net Based Opc Ua Client\/server Sdk | 2021-05-26 | 5.0 MEDIUM | 7.5 HIGH |
| Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow. | |||||
| CVE-2021-20529 | 1 Ibm | 1 Control Center | 2021-05-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Control Center 6.2.0.0 could allow a user to obtain sensitive version information that could be used in further attacks against the system. IBM X-Force ID: 198763. | |||||
| CVE-2021-29043 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-05-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. | |||||
| CVE-2020-4985 | 1 Ibm | 1 Planning Analytics Local | 2021-05-20 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642. | |||||
| CVE-2021-20993 | 1 Wago | 10 0852-0303, 0852-0303 Firmware, 0852-1305 and 7 more | 2021-05-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| In multiple managed switches by WAGO in different versions the activated directory listing provides an attacker with the index of the resources located inside the directory. | |||||
| CVE-2021-20564 | 1 Ibm | 1 Cloud Pak For Security | 2021-05-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 199235. | |||||
| CVE-2021-31918 | 1 Redhat | 1 Openstack | 2021-05-17 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-31905 | 1 Jetbrains | 1 Youtrack | 2021-05-14 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible. | |||||
| CVE-2015-0997 | 2 Aveva, Schneider-electric | 2 Aveva Edge, Wonderware Intouch 2014 | 2021-05-14 | 5.0 MEDIUM | N/A |
| Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force password-guessing attack. | |||||
| CVE-2015-0998 | 2 Aveva, Schneider-electric | 2 Aveva Edge, Wonderware Intouch 2014 | 2021-05-14 | 3.3 LOW | N/A |
| Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 transmit cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2015-0996 | 2 Aveva, Schneider-electric | 2 Aveva Edge, Wonderware Intouch 2014 | 2021-05-14 | 2.1 LOW | N/A |
| Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive information by discovering this password. | |||||
| CVE-2015-0999 | 2 Aveva, Schneider-electric | 2 Aveva Edge, Wonderware Intouch 2014 | 2021-05-14 | 2.1 LOW | N/A |
| Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file. | |||||
| CVE-2016-4839 | 1 Moneyforward | 10 Money Forward For Apppass, Money Forward For Au Smartpass, Money Forward For Chou Houdai and 7 more | 2021-05-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application. | |||||
| CVE-2017-15518 | 1 Netapp | 2 Oncommand Api Services, Service Level Manager | 2021-05-11 | 2.1 LOW | 7.8 HIGH |
| All versions of OnCommand API Services prior to 2.1 and NetApp Service Level Manager prior to 1.0RC4 log a privileged database user account password. All users are urged to move to a fixed version. Since the affected password is changed during every upgrade/installation no further action is required. | |||||
| CVE-2021-29248 | 1 Btcpayserver | 1 Btcpay Server | 2021-05-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie. | |||||
| CVE-2021-29247 | 1 Btcpayserver | 1 Btcpay Server | 2021-05-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie. | |||||
| CVE-2018-10599 | 1 Philips | 36 Avalon Fetal\/maternal Monitors Fm20, Avalon Fetal\/maternal Monitors Fm20 Firmware, Avalon Fetal\/maternal Monitors Fm30 and 33 more | 2021-05-10 | 2.9 LOW | 5.3 MEDIUM |
| IntelliVue Patient Monitors MP Series (including MP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M, IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only), and Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3 have a vulnerability that allows an unauthenticated attacker to read memory from an attacker-chosen device address within the same subnet. | |||||
| CVE-2021-29483 | 1 Miraheze | 1 Managewiki | 2021-05-08 | 5.0 MEDIUM | 7.5 HIGH |
| ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround. | |||||
| CVE-2021-1087 | 5 Citrix, Nutanix, Nvidia and 2 more | 5 Hypervisor, Ahv, Virtual Gpu Manager and 2 more | 2021-05-07 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), which could allow an attacker to retrieve information that could lead to a Address Space Layout Randomization (ASLR) bypass. This affects vGPU version 12.x (prior to 12.2), version 11.x (prior to 11.4) and version 8.x (prior to 8.7). | |||||
| CVE-2021-30168 | 1 Meritlilin | 82 P2g1022, P2g1022 Firmware, P2g1022x and 79 more | 2021-05-07 | 7.5 HIGH | 9.8 CRITICAL |
| The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices. | |||||
| CVE-2021-30169 | 1 Meritlilin | 82 P2g1022, P2g1022 Firmware, P2g1022x and 79 more | 2021-05-07 | 5.0 MEDIUM | 7.5 HIGH |
| The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential. | |||||
| CVE-2020-4883 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2021-05-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM QRadar SIEM 7.3 and 7.4 could disclose sensitive information about other domains which could be used in further attacks against the system. IBM X-Force ID: 190907. | |||||
| CVE-2021-21537 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 5.5 MEDIUM |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to view and exfiltrate sensitive information on the system. | |||||
| CVE-2021-21534 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 3.3 LOW |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain access to sensitive information via the local API. | |||||
| CVE-2021-21536 | 1 Dell | 1 Hybrid Client | 2021-05-06 | 2.1 LOW | 5.5 MEDIUM |
| Dell Hybrid Client versions prior to 1.5 contain an information exposure vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to register the client to a server in order to view sensitive information. | |||||
| CVE-2020-36319 | 1 Vaadin | 2 Flow, Vaadin | 2021-05-05 | 3.5 LOW | 6.5 MEDIUM |
| Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController | |||||
| CVE-2016-2388 | 1 Sap | 1 Netweaver Application Server Java | 2021-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. | |||||
| CVE-2018-12920 | 1 Flir | 2 Brickstream 2300, Brickstream 2300 Firmware | 2021-05-03 | 5.0 MEDIUM | 7.5 HIGH |
| Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI. | |||||