Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-6079 | 1 Boldgrid | 1 W3 Total Cache | 2023-05-26 | 5.0 MEDIUM | 7.5 HIGH |
| W3 Total Cache before 0.9.2.5 exposes sensitive cached database information which allows remote attackers to download this information via their hash keys. | |||||
| CVE-2012-6077 | 1 Boldgrid | 1 W3 Total Cache | 2023-05-26 | 5.0 MEDIUM | 7.5 HIGH |
| W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files. | |||||
| CVE-2012-6078 | 1 Boldgrid | 1 W3 Total Cache | 2023-05-26 | 5.0 MEDIUM | 7.5 HIGH |
| W3 Total Cache before 0.9.2.5 generates hash keys insecurely which allows remote attackers to predict the values of the hashes. | |||||
| CVE-2021-32819 | 1 Squirrelly | 1 Squirrelly | 2023-05-22 | 6.8 MEDIUM | 8.8 HIGH |
| Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023. | |||||
| CVE-2016-8741 | 1 Apache | 1 Qpid Broker-j | 2023-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256. | |||||
| CVE-2019-12414 | 1 Apache | 1 Superset | 2023-05-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab | |||||
| CVE-2022-31091 | 2 Debian, Guzzlephp | 2 Debian Linux, Guzzle | 2023-05-21 | 4.0 MEDIUM | 7.7 HIGH |
| Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together. | |||||
| CVE-2021-45038 | 1 Mediawiki | 1 Mediawiki | 2023-05-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents. | |||||
| CVE-2017-15583 | 1 Hitachienergy | 2 Fox515t, Fox515t Firmware | 2023-05-16 | 5.0 MEDIUM | 6.5 MEDIUM |
| The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Local File Inclusion. It accepts a parameter that specifies a file for display or for use as a template. The filename is not validated; an attacker could retrieve any file. | |||||
| CVE-2019-19091 | 1 Hitachienergy | 1 Esoms | 2023-05-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack. | |||||
| CVE-2019-19000 | 1 Hitachienergy | 1 Esoms | 2023-05-16 | 6.4 MEDIUM | 6.5 MEDIUM |
| For ABB eSOMS 4.0 to 6.0.3, the Cache-Control and Pragma HTTP header(s) have not been properly configured within the application response. This can potentially allow browsers and proxies to cache sensitive information. | |||||
| CVE-2023-29106 | 1 Siemens | 4 6gk1411-1ac00, 6gk1411-1ac00 Firmware, 6gk1411-5ac00 and 1 more | 2023-05-15 | N/A | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The export endpoint is accessible via REST API without authentication. This could allow an unauthenticated remote attacker to download the files available via the endpoint. | |||||
| CVE-2023-30740 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-05-15 | N/A | 7.6 HIGH |
| SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality, limited impact on integrity and availability of the application. | |||||
| CVE-2023-31404 | 1 Sap | 1 Businessobjects Business Intelligence | 2023-05-15 | N/A | 5.0 MEDIUM |
| Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Central Management Service) - versions 420, 430, allows an attacker to access information which would otherwise be restricted. Some users with specific privileges could have access to credentials of other users. It could let them access data sources which would otherwise be restricted. | |||||
| CVE-2023-30843 | 1 Payloadcms | 1 Payload | 2023-05-05 | N/A | 6.5 MEDIUM |
| Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data. | |||||
| CVE-2023-22580 | 1 Sequelizejs | 1 Sequelize | 2023-04-28 | N/A | 7.5 HIGH |
| Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. | |||||
| CVE-2023-29517 | 1 Xwiki | 1 Xwiki | 2023-04-28 | N/A | 7.5 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. The problem has been patched in XWiki 13.10.11, 14.10.1, 14.4.8, 15.0-rc-1. Users are advised to upgrade. It might be possible to workaround this vulnerability by running XWiki in a sandbox with a user with very low privileges on the machine. | |||||
| CVE-2014-10026 | 1 Dlink | 2 Dap-1360, Dap-1360 Firmware | 2023-04-26 | 5.0 MEDIUM | N/A |
| index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin. | |||||
| CVE-2018-18441 | 2 D-link, Dlink | 36 Dcs-2102 Firmware, Dcs-2121 Firmware, Dcs-2630l Firmware and 33 more | 2023-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. | |||||
| CVE-2021-21816 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2023-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. | |||||