Filtered by CWE-200
Total 8768 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-42454 1 Lovasoa 1 Sqlpage 2024-09-26 10 Critical
SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one's database publicly.
CVE-2024-42351 2024-09-26 6.5 Medium
Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. An attacker can potentially replace the contents of public datasets resulting in data loss or tampering. All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-43237 1 Taxopress 1 Taxopress 2024-09-26 5.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups.This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.3.
CVE-2024-47059 1 Mautic 1 Mautic 2024-09-25 4.3 Medium
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification. This difference could be used to perform username enumeration.
CVE-2023-42387 1 Tdsql Chitu Project 1 Tdsql Chitu 2024-09-25 7.5 High
An issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php.
CVE-2024-47060 1 Zitadel 1 Zitadel 2024-09-25 4.3 Medium
Zitadel is an open source identity management platform. In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. The issue stems from the fact that when an organization is deactivated in Zitadel, the applications associated with it do not automatically deactivate. The application lifecycle is not tightly coupled with the organization's lifecycle, leading to a situation where the organization or project is marked as inactive, but its resources remain accessible. This vulnerability allows for unauthorized access to projects and their resources, which should have been restricted post-organization deactivation. Versions 2.62.1, 2.61.1, 2.60.2, 2.59.3, 2.58.5, 2.57.5, 2.56.6, 2.55.8, and 2.54.10 have been released which address this issue. Users are advised to upgrade. Users unable to upgrade may explicitly disable the application to make sure the client is not allowed anymore.
CVE-2023-39677 2 Simpleimportproduct Project, Updateproducts Project 2 Simpleimportproduct, Updateproducts 2024-09-25 7.5 High
MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php.
CVE-2023-39045 1 Kokoroe Members Card Project 1 Kokoroe Members Card 2024-09-25 6.5 Medium
An information leak in kokoroe_members card Line 13.6.1 allows attackers to obtain the channel access token and send crafted messages.
CVE-2023-37263 1 Strapi 1 Strapi 2024-09-25 6.8 Medium
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.
CVE-2023-40712 1 Apache 1 Airflow 2024-09-25 6.5 Medium
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
CVE-2023-36472 1 Strapi 1 Strapi 2024-09-25 5.8 Medium
Strapi is an open-source headless content management system. Prior to version 4.11.7, an unauthorized actor can get access to user reset password tokens if they have the configure view permissions. The `/content-manager/relations` route does not remove private fields or ensure that they can't be selected. This issue is fixed in version 4.11.7.
CVE-2024-3716 1 Redhat 1 Satellite 2024-09-25 6.2 Medium
A flaw was found in foreman-installer when puppet-candlepin is invoked cpdb with the --password parameter. This issue leaks the password in the process list and allows an attacker to take advantage and obtain the password.
CVE-2023-43617 1 Schollz 1 Croc 2024-09-25 5.3 Medium
An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.
CVE-2023-41293 1 Huawei 2 Emui, Harmonyos 2024-09-25 7.5 High
Data security classification vulnerability in the DDMP module. Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-39052 1 Earthgarden Waiting Project 1 Earthgarden Waiting 2024-09-25 6.5 Medium
An information leak in Earthgarden_waiting 13.6.1 allows attackers to obtain the channel access token and send crafted messages.
CVE-2023-38344 1 Ivanti 1 Endpoint Manager 2024-09-25 6.5 Medium
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.
CVE-2024-27838 2 Apple, Redhat 8 Ipados, Iphone Os, Macos and 5 more 2024-09-25 6.5 Medium
The issue was addressed by adding additional logic. This issue is fixed in tvOS 17.5, iOS 16.7.8 and iPadOS 16.7.8, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2024-27850 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2024-09-25 6.5 Medium
This issue was addressed with improvements to the noise injection algorithm. This issue is fixed in visionOS 1.2, macOS Sonoma 14.5, Safari 17.5, iOS 17.5 and iPadOS 17.5. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2024-27830 1 Apple 7 Ipados, Iphone Os, Macos and 4 more 2024-09-25 6.5 Medium
This issue was addressed through improved state management. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2023-36551 1 Fortinet 1 Fortisiem 2024-09-24 4.2 Medium
A exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.5 allows attacker to information disclosure via a crafted http request.