Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-49284 | 2024-10-18 | N/A | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BogdanFix WP SendFox allows Retrieve Embedded Sensitive Data.This issue affects WP SendFox: from n/a through 1.3.1. | |||||
| CVE-2018-13297 | 1 Synology | 1 Drive Server | 2024-10-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| Information exposure vulnerability in SYNO.SynologyDrive.Files in Synology Drive before 1.1.2-10562 allows remote attackers to obtain sensitive system information via the dsm_path parameter. | |||||
| CVE-2024-22032 | 2024-10-16 | N/A | N/A | ||
| A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled. When reconciling, the Kube API secret values are written in plaintext on the AppliedSpec. Cluster owners, Cluster members, and Project members (for projects within the cluster), all have RBAC permissions to view the cluster object from the apiserver. | |||||
| CVE-2024-47080 | 2024-10-16 | N/A | N/A | ||
| matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. In matrix-js-sdk versions versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers. The method was introduced by MSC3061) and is commonly used to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments. The vulnerability was fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality. As a workaround, remove use of affected functionality from clients. | |||||
| CVE-2024-47771 | 2024-10-16 | N/A | N/A | ||
| Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets. | |||||
| CVE-2024-47824 | 2024-10-16 | N/A | N/A | ||
| matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available. | |||||
| CVE-2017-9512 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-16 | 5.0 MEDIUM | 7.5 HIGH |
| The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks. | |||||
| CVE-2023-22586 | 1 Danfoss | 2 Ak-em100, Ak-em100 Firmware | 2024-10-16 | N/A | 7.5 HIGH |
| The Danfoss AK-EM100 web applications allow for Local File Inclusion in the file parameter. | |||||
| CVE-2023-25912 | 1 Danfoss | 2 Ak-em100, Ak-em100 Firmware | 2024-10-16 | N/A | 5.3 MEDIUM |
| The webreport generation feature in the Danfoss AK-EM100 allows an unauthorized actor to generate a web report that discloses sensitive information such as the internal IP address, usernames and internal device values. | |||||
| CVE-2016-8747 | 1 Apache | 1 Tomcat | 2024-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request. | |||||
| CVE-2024-6747 | 1 Checkmk | 1 Checkmk | 2024-10-15 | N/A | 7.5 HIGH |
| Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.0p36, 2.1.0p49 and in 2.0.0p39 (EOL) allows attacker to get potentially sensitive data | |||||
| CVE-2024-39527 | 2024-10-15 | N/A | 5.5 MEDIUM | ||
| An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the command-line interface (CLI) of Juniper Networks Junos OS on SRX Series devices allows a local, low-privileged user with access to the Junos CLI to view the contents of protected files on the file system. Through the execution of crafted CLI commands, a user with limited permissions (e.g., a low privilege login class user) can access protected files that should not be accessible to the user. These files may contain sensitive information that can be used to cause further impact to the system. This issue affects Junos OS on SRX Series: * All versions before 21.4R3-S8, * 22.2 before 22.2R3-S5, * 22.3 before 22.3R3-S4, * 22.4 before 22.4R3-S4, * 23.2 before 23.2R2-S2, * 23.4 before 23.4R2. | |||||
| CVE-2024-9538 | 2024-10-15 | N/A | 4.3 MEDIUM | ||
| The ShopLentor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.8 via the 'render' function in includes/addons/wl_faq.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. | |||||
| CVE-2024-9821 | 2024-10-15 | N/A | 8.8 HIGH | ||
| The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature. | |||||
| CVE-2024-8884 | 2024-10-10 | N/A | N/A | ||
| CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause exposure of credentials when attacker has access to application on network over http | |||||
| CVE-2024-47344 | 2024-10-07 | N/A | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StylemixThemes uListing.This issue affects uListing: from n/a through 2.1.5. | |||||
| CVE-2024-45245 | 2024-10-07 | N/A | N/A | ||
| Diebold Nixdorf – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-45250 | 2024-10-07 | N/A | N/A | ||
| ZKteco – CWE 200 Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-43237 | 2024-09-26 | N/A | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups.This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.3. | |||||
| CVE-2024-8612 | 2024-09-26 | N/A | 3.8 LOW | ||
| A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak. | |||||