Search
Total
7597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6610 | 1 Jlike Project | 1 Jlike | 2018-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request. | |||||
| CVE-2018-6460 | 1 Anchorfree | 1 Hotspot Shield | 2018-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address. | |||||
| CVE-2018-1192 | 1 Pivotal Software | 4 Cloud Foundry Cf-deployment, Cloud Foundry Cf-release, Cloud Foundry Uaa and 1 more | 2018-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| In Cloud Foundry Foundation cf-release versions prior to v285; cf-deployment versions prior to v1.7; UAA 4.5.x versions prior to 4.5.5, 4.8.x versions prior to 4.8.3, and 4.7.x versions prior to 4.7.4; and UAA-release 45.7.x versions prior to 45.7, 52.7.x versions prior to 52.7, and 53.3.x versions prior to 53.3, the SessionID is logged in audit event logs. An attacker can use the SessionID to impersonate a logged-in user. | |||||
| CVE-2017-1785 | 1 Ibm | 1 Api Connect | 2018-02-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote user to modify query parameters to obtain sensitive information. IBM X-Force ID: 136859. | |||||
| CVE-2013-4317 | 1 Apache | 1 Cloudstack | 2018-02-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own. | |||||
| CVE-2017-8980 | 1 Hp | 1 Intelligent Management Center | 2018-02-26 | 5.0 MEDIUM | 7.5 HIGH |
| A Remote Disclosure of Information vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found. | |||||
| CVE-2016-3696 | 2 Fedoraproject, Pulpproject | 2 Fedora, Pulp | 2018-02-23 | 2.1 LOW | 5.5 MEDIUM |
| The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. | |||||
| CVE-2016-3693 | 1 Safemode Project | 1 Safemode | 2018-02-23 | 6.8 MEDIUM | 8.1 HIGH |
| The Safemode gem before 1.2.4 for Ruby, when initialized with a delegate object that is a Rails controller, allows context-dependent attackers to obtain sensitive information via the inspect method. | |||||
| CVE-2012-3331 | 1 Ibm | 1 Sametime | 2018-02-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF. IBM X-Force ID: 78048. | |||||
| CVE-2015-5310 | 1 Google | 1 Android | 2018-02-22 | 3.3 LOW | 4.3 MEDIUM |
| The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not properly ignore key data in response frames when management frame protection (MFP) was not negotiated, which allows remote attackers to inject arbitrary broadcast or multicast packets or cause a denial of service (ignored packets) via a WNM Sleep Mode response. | |||||
| CVE-2017-1000250 | 1 Bluez | 1 Bluez | 2018-02-17 | 3.3 LOW | 6.5 MEDIUM |
| All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. | |||||
| CVE-2013-7435 | 1 Evergreen-ils | 1 Evergreen | 2018-02-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| The open-ils.pcrud endpoint in Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to obtain sensitive settings history information by leveraging lack of user permission for retrieval in fm_IDL.xml. | |||||
| CVE-2018-6008 | 1 Joomlatag | 1 Jtag Members Directory | 2018-02-15 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter. | |||||
| CVE-2015-2203 | 1 Evergreen-ils | 1 Evergreen | 2018-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL. | |||||
| CVE-2015-2204 | 1 Evergreen-ils | 1 Evergreen | 2018-02-15 | 5.0 MEDIUM | 7.5 HIGH |
| Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided. | |||||
| CVE-2016-0312 | 1 Ibm | 1 Tririga Application Platform | 2018-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| IBM TRIRIGA Application Platform before 3.3.2 allows remote attackers to obtain sensitive information via vectors related to granting unauthenticated access to Document Manager. IBM X-Force ID: 111486. | |||||
| CVE-2014-9970 | 1 Jasypt Project | 1 Jasypt | 2018-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| jasypt before 1.9.2 allows a timing attack against the password hash comparison. | |||||
| CVE-2018-6014 | 1 Subsonic | 1 Subsonic | 2018-02-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data. | |||||
| CVE-2018-5319 | 1 Ravpower | 1 Filehub Firmware | 2018-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| RAVPower FileHub 2.000.056 allows remote users to steal sensitive information via a crafted HTTP request. | |||||
| CVE-2018-6015 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2018-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data. | |||||
| CVE-2017-1681 | 1 Ibm | 1 Liberty | 2018-02-10 | 2.1 LOW | 3.3 LOW |
| IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.15) could allow a local attacker to obtain sensitive information, caused by improper handling of application requests, which could allow unauthorized access to read a file. IBM X-Force ID: 134003. | |||||
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2018-02-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | |||||
| CVE-2017-2744 | 1 Hp | 1 Support Assistant | 2018-02-09 | 2.1 LOW | 5.5 MEDIUM |
| The vulnerability allows attacker to extract binaries into protected file system locations in HP Support Assistant before 12.7.26.1. | |||||
| CVE-2017-1515 | 1 Ibm | 1 Rational Doors | 2018-02-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Doors Web Access 9.5 and 9.6 could allow an authenticated user to obtain sensitive information from HTTP internal server error responses. IBM X-Force ID: 129825. | |||||
| CVE-2017-15713 | 1 Apache | 1 Hadoop | 2018-02-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. | |||||
| CVE-2018-1044 | 1 Moodle | 1 Moodle | 2018-02-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings. | |||||
| CVE-2018-5726 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2018-02-05 | 5.0 MEDIUM | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices allow remote attackers to obtain sensitive information via a crafted HTTP request, as demonstrated by the username, password, and configuration settings. | |||||
| CVE-2012-3353 | 1 Apache | 1 Sling Jcr Contentloader | 2018-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader | |||||
| CVE-2017-13206 | 1 Google | 1 Android | 2018-02-02 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability in the Android media framework (aacdec). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-65025048. | |||||
| CVE-2017-9796 | 1 Apache | 1 Geode | 2018-02-02 | 3.5 LOW | 5.3 MEDIUM |
| When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions. | |||||
| CVE-2018-5728 | 1 Cobham | 2 Seatel 121, Seatel 121 Firmware | 2018-02-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cobham Sea Tel 121 build 222701 devices allow remote attackers to obtain potentially sensitive information via a /cgi-bin/getSysStatus request, as demonstrated by the Latitude/Longitude of the ship, or satellite details. | |||||
| CVE-2017-1478 | 1 Ibm | 2 Security Access Manager, Security Access Manager 9.0 Firmware | 2018-02-01 | 2.1 LOW | 3.3 LOW |
| IBM Security Access Manager Appliance 9.0.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 128613. | |||||
| CVE-2017-0846 | 1 Google | 1 Android | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability in the Android framework (clipboardservice). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-64934810. | |||||
| CVE-2015-7484 | 1 Ibm | 1 Rational Engineering Lifecycle Manager | 2018-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Rational Engineering Lifecycle Manager 3.0 before 3.0.1.6 iFix7 Interim Fix 1 and 4.0 before 4.0.7 iFix10 allow remote authenticated users with access to lifecycle projects to obtain sensitive information by sending a crafted URL to the Lifecycle Query Engine. IBM X-Force ID: 108619. | |||||
| CVE-2017-12622 | 1 Apache | 1 Geode | 2018-02-01 | 5.5 MEDIUM | 7.1 HIGH |
| When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges. | |||||
| CVE-2018-5266 | 1 Cobham | 2 Sea Tel 121, Sea Tel 121 Firmware | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| Cobham Sea Tel 121 build 222701 devices allow remote attackers to obtain potentially sensitive information about valid usernames by reading the loginName lines at the js/userLogin.js URI. NOTE: default passwords for the standard usernames are listed in the product's documentation: Dealer with password seatel3, SysAdmin with password seatel2, and User with password seatel1. | |||||
| CVE-2017-14082 | 1 Trendmicro | 1 Mobile Security | 2018-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An uninitialized pointer information disclosure vulnerability in Trend Micro Mobile Security (Enterprise) versions 9.7 and below could allow an unauthenticated remote attacker to disclosure sensitive information on a vulnerable system. | |||||
| CVE-2018-5682 | 1 Prestashop | 1 Prestashop | 2018-01-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message. | |||||
| CVE-2014-5004 | 1 Brbackup Project | 1 Brbackup | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-5001 | 1 Kcapifony Project | 1 Kcapifony | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database user passwords on the (1) mysqldump, (2) pg_dump, (3) mysql, and (4) psql command lines, which allows local users to obtain sensitive information by listing the processes. | |||||
| CVE-2014-4999 | 1 Kajam Project | 1 Kajam | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-5000 | 1 Lawn-login Project | 1 Lawn-login | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-4998 | 1 Lean-ruport Project | 1 Lean-ruport | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-4997 | 1 Point-cli Project | 1 Point-cli | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-4995 | 1 Vladtheenterprising Project | 1 Vladtheenterprising | 2018-01-30 | 1.9 LOW | 7.0 HIGH |
| Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to obtain sensitive information by reading the MySQL root password from a temporary file before it is removed. | |||||
| CVE-2014-4991 | 1 Codders-dataset Project | 1 Codders-dataset | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| (1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-4992 | 1 Cap-strap Project | 1 Cap-strap | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places credentials on the useradd command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2014-4993 | 2 Backup-agoddard Project, Backup Checksum Project | 2 Backup-agoddard, Backup Checksum | 2018-01-30 | 2.1 LOW | 7.8 HIGH |
| (1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process. | |||||
| CVE-2017-11066 | 1 Google | 1 Android | 2018-01-29 | 5.0 MEDIUM | 7.5 HIGH |
| In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing ubi image an uninitialized memory could be accessed. | |||||
| CVE-2014-5394 | 1 Huawei | 24 S2300, S2300 Firmware, S2700 and 21 more | 2018-01-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| Multiple Huawei Campus switches allow remote attackers to enumerate usernames via vectors involving use of SSH by the maintenance terminal. | |||||