Total
25 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57734 | 2025-08-20 | N/A | N/A | ||
| In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files | |||||
| CVE-2025-27017 | 1 Apache | 1 Nifi | 2025-07-16 | N/A | 6.5 MEDIUM |
| Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. | |||||
| CVE-2025-46820 | 2025-05-06 | N/A | N/A | ||
| phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. | |||||
| CVE-2025-31421 | 2025-04-04 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through 3.2.0. | |||||
| CVE-2025-31558 | 2025-04-03 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through 0.4.4. | |||||
| CVE-2025-31550 | 2025-04-01 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS allows Retrieve Embedded Sensitive Data. This issue affects WP-LESS: from 1.9.3 through 3. | |||||
| CVE-2025-27150 | 2025-03-04 | N/A | N/A | ||
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11. | |||||
| CVE-2025-22633 | 2025-02-23 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Matt Cromwell Give – Divi Donation Modules allows Retrieve Embedded Sensitive Data. This issue affects Give – Divi Donation Modules: from n/a through 2.0.0. | |||||
| CVE-2025-24689 | 2025-01-27 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue affects Import and export users and customers: from n/a through 1.27.12. | |||||
| CVE-2025-22773 | 2025-01-15 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WPChill Htaccess File Editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Htaccess File Editor: from n/a through 1.0.19. | |||||
| CVE-2025-22306 | 2025-01-07 | N/A | N/A | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.7.7. | |||||
| CVE-2024-47580 | 2024-12-10 | N/A | N/A | ||
| An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. | |||||
| CVE-2024-47579 | 2024-12-10 | N/A | N/A | ||
| An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability | |||||
| CVE-2024-0191 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-05-17 | N/A | 5.3 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/uploads/. The manipulation leads to file and directory information exposure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249504. | |||||
| CVE-2023-4595 | 2 Microsoft, Seattlelab | 2 Windows, Slmail | 2023-11-29 | N/A | 6.5 MEDIUM |
| An information exposure vulnerability has been found, the exploitation of which could allow a remote user to retrieve sensitive information stored on the server such as credential files, configuration files, application files, etc., simply by appending any of the following parameters to the end of the URL: %00 %0a, %20, %2a, %a0, %aa, %c0 and %ca. | |||||
| CVE-2018-11798 | 1 Apache | 1 Thrift | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path. | |||||
| CVE-2019-10320 | 1 Jenkins | 1 Credentials | 2023-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate. | |||||
| CVE-2021-40363 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2022-10-06 | 2.1 LOW | 7.8 HIGH |
| A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system. | |||||
| CVE-2021-21250 | 1 Onedev Project | 1 Onedev | 2021-01-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file. | |||||
| CVE-2019-12623 | 1 Cisco | 1 Enterprise Network Functions Virtualization Infrastructure | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web server functionality of Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform file enumeration on an affected system. The vulnerability is due to the web server responding with different error codes for existing and non-existing files. An attacker could exploit this vulnerability by sending GET requests for different file names. A successful exploit could allow the attacker to enumerate files residing on the system. | |||||