| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. |
| selinux-policy as packaged in Red Hat OpenShift 2 allows attackers to obtain process listing information via a privilege escalation attack. |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OXI Interface). Supported versions that are affected are 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x and 5.5.1.x. Easily "exploitable" vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). |
| An issue was discovered in Adobe Digital Editions 4.5.6 and earlier versions. Adobe Digital Editions parses crafted XML files in an unsafe manner, which could lead to sensitive information disclosure. |
| IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 7.0 and 8.0 could allow an authenticated attacker to obtain information such as user personal data. IBM X-Force ID: 128622. |
| Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/app_theme/libs/check_file.php via $_GET['src'] or $_GET['name']. |
| The mod_nss module before 1.0.11 in Fedora allows remote attackers to obtain cipher lists due to incorrect parsing of multi-keyword cipherstring. |
| In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure Through Timing Discrepancy vulnerability could potentially exist. |
| Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: File Management). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). |
| MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Room Image/Picture Setup). Supported versions that are affected are 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x and 5.5.1.x. Easily "exploitable" vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). |
| Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send unspecified "specific information" by which the agent identifies a network device that is "appearing to be a valid Datto." |
| IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local attacker to obtain sensitive information using HTTP Header Injection. IBM Reference #: 1998053. |
| An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "iBooks" component. It allows remote attackers to obtain sensitive information from local files via a file: URL in an iBooks file. |
| IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local user view sensitive information due to improper access controls. IBM X-Force ID: 125456. |
| An information disclosure vulnerability in the logging implementation of BlackBerry Good Control Server versions earlier than 2.3.53.62 allows remote attackers to gain and use logged encryption keys to access certain resources within a customer's Good deployment by gaining access to certain diagnostic log files through either a valid logon or an unrelated compromise of the server. |
| Under non-standard configurations, IBM WebSphere MQ might send password data in clear text over the network. This data could be intercepted using man in the middle techniques. |
| IBM Sametime 8.5.1 and 9.0 could allow an authenticated user to enumerate meeting rooms by guessing the meeting room id. IBM X-Force ID: 113847. |
| A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698. |
| On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading. |
