Total
8765 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-7415 | 1 Coffee2code | 1 Remember Me Controls | 2024-09-30 | 5.3 Medium |
The Remember Me Controls plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.1. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
CVE-2021-32050 | 1 Mongodb | 5 C\+\+, C Driver, Node.js and 2 more | 2024-09-30 | 4.2 Medium |
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). | ||||
CVE-2019-3016 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2024-09-30 | 6.2 Medium |
In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. | ||||
CVE-2020-2732 | 1 Redhat | 2 Enterprise Linux, Rhel Extras Rt | 2024-09-30 | 5.8 Medium |
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. | ||||
CVE-2024-8801 | 1 Wedevs | 1 Happy Addons For Elementor | 2024-09-30 | 4.3 Medium |
The Happy Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.2 via the Content Switcher widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including private, draft, and pending Elementor templates. | ||||
CVE-2023-5359 | 1 Boldgrid | 1 W3 Total Cache | 2024-09-30 | 3.7 Low |
The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way. | ||||
CVE-2024-7426 | 1 Peepso | 2 Community By Peepso, Peepso | 2024-09-30 | 5.3 Medium |
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.6.0. This is due to the plugin displaying errors and allowing direct access to the sse.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
CVE-2024-46471 | 1 Codeastro | 1 Membership Management System | 2024-09-30 | 7.5 High |
The Directory Listing in /uploads/ Folder in CodeAstro Membership Management System 1.0 exposes the structure and contents of directories, potentially revealing sensitive information. | ||||
CVE-2023-37379 | 1 Apache | 1 Airflow | 2024-09-27 | 8.1 High |
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. | ||||
CVE-2023-41745 | 4 Acronis, Apple, Linux and 1 more | 5 Agent, Cyber Protect, Macos and 2 more | 2024-09-27 | 5.5 Medium |
Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30991, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979. | ||||
CVE-2024-6499 | 1 Maxfoundry | 1 Maxbuttons | 2024-09-26 | 5.3 Medium |
The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. | ||||
CVE-2023-41749 | 2 Acronis, Microsoft | 3 Agent, Cyber Protect, Windows | 2024-09-26 | 7.5 High |
Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Windows) before build 32047, Acronis Cyber Protect 15 (Windows) before build 35979. | ||||
CVE-2023-32271 | 1 Openautomationsoftware | 1 Oas Platform | 2024-09-26 | 6.5 Medium |
An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
CVE-2023-39620 | 2 Buffalo, Buffalo America Inc | 3 Terastation Nas 5410r, Terastation Nas 5410r Firmware, Terastation Nas Ts5410r | 2024-09-26 | 7.5 High |
An Issue in Buffalo America, Inc. TeraStation NAS TS5410R v.5.00 thru v.0.07 allows a remote attacker to obtain sensitive information via the guest account function. | ||||
CVE-2023-40029 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2024-09-26 | 9.9 Critical |
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal. | ||||
CVE-2023-4876 | 1 Hamza417 | 1 Inure | 2024-09-26 | 7.5 High |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92. | ||||
CVE-2023-28010 | 1 Hcltech | 1 Domino | 2024-09-26 | 4 Medium |
In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future attacks. | ||||
CVE-2024-8538 | 1 Infiniteuploads | 1 Big File Uploads | 2024-09-26 | 4.3 Medium |
The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
CVE-2023-41050 | 1 Zope | 2 Accesscontrol, Zope | 2024-09-26 | 6.8 Medium |
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2023-4877 | 1 Hamza417 | 1 Inure | 2024-09-26 | 7.5 High |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92. |