Total
8699 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-34708 | 2024-08-02 | 4.9 Medium | ||
| Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0. | ||||
| CVE-2024-34556 | 2024-08-02 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. | ||||
| CVE-2024-34696 | 1 Geoserver | 1 Geoserver | 2024-08-02 | 4.5 Medium |
| GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured. The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly. Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice. | ||||
| CVE-2024-34549 | 2024-08-02 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Automattic WP Job Manager.This issue affects WP Job Manager: from n/a through 2.2.2. | ||||
| CVE-2024-34529 | 2024-08-02 | N/A | ||
| Nebari through 2024.4.1 prints the temporary Keycloak root password. | ||||
| CVE-2024-34358 | 2024-08-02 | 5.3 Medium | ||
| TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. | ||||
| CVE-2024-34382 | 2024-08-02 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in RoboSoft Robo Gallery.This issue affects Robo Gallery: from n/a through 3.2.18. | ||||
| CVE-2024-34368 | 2024-08-02 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mooberry Dreams Mooberry Book Manager.This issue affects Mooberry Book Manager: from n/a through 4.15.12. | ||||
| CVE-2024-34388 | 2024-08-02 | 7.5 High | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Scribit GDPR Compliance.This issue affects GDPR Compliance: from n/a through 1.2.5. | ||||
| CVE-2024-34029 | 2024-08-02 | 4.3 Medium | ||
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team. | ||||
| CVE-2024-34003 | 2024-08-02 | 5.9 Medium | ||
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-34005 | 2024-08-02 | 6.5 Medium | ||
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-34080 | 2024-08-02 | 5.3 Medium | ||
| MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. This can result in disclosure of the existence of the note, the note author name, the note creation timestamp, and the issue id the note belongs to. Version 2.26.2 contains a patch for the issue. No known workarounds are available. | ||||
| CVE-2024-34004 | 2024-08-02 | N/A | ||
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-33669 | 1 Passbolt | 1 Passbolt Api | 2024-08-02 | 6.1 Medium |
| An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily brute force passwords that are manually typed by the user. | ||||
| CVE-2024-33753 | 2024-08-02 | 8.2 High | ||
| Section Camera V2.5.5.3116-S50-SMA-B20160811 and earlier versions allow the accounts and passwords of administrators and users to be changed without authorization. | ||||
| CVE-2024-33538 | 2024-08-02 | 5.3 Medium | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Fastline Media LLC Assistant – Every Day Productivity Apps.This issue affects Assistant – Every Day Productivity Apps: from n/a through 1.4.9.1. | ||||
| CVE-2024-32967 | 2024-08-02 | 5.3 Medium | ||
| Zitadel is an open source identity management system. In case ZITADEL could not connect to the database, connection information including db name, username and db host name could be returned to the user. This has been addressed in all supported release branches in a point release. There is no workaround since a patch is already available. Users are advised to upgrade. | ||||
| CVE-2024-32963 | 2024-08-02 | 4.2 Medium | ||
| Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-32726 | 2024-08-02 | 7.5 High | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in vinoth06. Frontend Dashboard.This issue affects Frontend Dashboard: from n/a through 2.2.2. | ||||