Total
8795 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-38650 | 1 Veeam | 1 Service Provider Console | 2024-09-09 | N/A |
An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server. | ||||
CVE-2024-7697 | 2 Tecno, Transsion | 2 Com.transsion.carlcare, Carlcare | 2024-09-06 | 7.5 High |
Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks. | ||||
CVE-2024-8460 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2024-09-06 | 3.7 Low |
A vulnerability, which was classified as problematic, has been found in D-Link DNS-320 2.02b01. Affected by this issue is some unknown functionality of the file /cgi-bin/widget_api.cgi of the component Web Management Interface. The manipulation of the argument getHD/getSer/getSys leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced. | ||||
CVE-2024-45447 | 1 Huawei | 2 Emui, Harmonyos | 2024-09-06 | 4.4 Medium |
Access control vulnerability in the camera framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
CVE-2024-41108 | 1 Fogproject | 1 Fogproject | 2024-09-05 | 7.5 High |
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" will be returned. The domainpassword in the hostinfo dump is hidden even to authenticated users, as it is displayed as a row of asterisks when navigating to the host's Active Directory settings. This vulnerability is fixed in 1.5.10.41. | ||||
CVE-2024-8106 | 1 Wpextended | 1 Wp Extended | 2024-09-05 | 6.5 Medium |
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.8 via the download_user_ajax function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including usernames, hashed passwords, and emails. | ||||
CVE-2024-42435 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2024-09-04 | 4.9 Medium |
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | ||||
CVE-2024-42434 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2024-09-04 | 4.9 Medium |
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | ||||
CVE-2024-39824 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2024-09-04 | 4.9 Medium |
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | ||||
CVE-2024-39823 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2024-09-04 | 4.9 Medium |
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | ||||
CVE-2024-39822 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more | 2024-09-04 | 6.5 Medium |
Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access. | ||||
CVE-2024-44820 | 1 Zzcms | 1 Zzcms | 2024-09-04 | 7.5 High |
A sensitive information disclosure vulnerability exists in ZZCMS v.2023 and before within the eginfo.php file located at /3/E_bak5.1/upload/. When accessed with the query parameter phome=ShowPHPInfo, the application executes the phpinfo() function, which exposes detailed information about the PHP environment, including server configuration, loaded modules, and environment variables. | ||||
CVE-2024-41698 | 1 Priority-software | 1 Priority | 2024-09-03 | 4.3 Medium |
Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2024-43803 | 1 Redhat | 1 Openshift | 2024-09-03 | 4.9 Medium |
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the `Name` and `Namespace` of the Secret, meaning that versions of the baremetal-operator prior to 0.8.0, 0.6.2, and 0.5.2 will read a `Secret` from any namespace. A user with access to create or edit a `BareMetalHost` can thus exfiltrate a `Secret` from another namespace by using it as e.g. the `userData` for provisioning some host (note that this need not be a real host, it could be a VM somewhere). BMO will only read a key with the name `value` (or `userData`, `metaData`, or `networkData`), so that limits the exposure somewhat. `value` is probably a pretty common key though. Secrets used by _other_ `BareMetalHost`s in different namespaces are always vulnerable. It is probably relatively unusual for anyone other than cluster administrators to have RBAC access to create/edit a `BareMetalHost`. This vulnerability is only meaningful, if the cluster has users other than administrators and users' privileges are limited to their respective namespaces. The patch prevents BMO from accepting links to Secrets from other namespaces as BMH input. Any BMH configuration is only read from the same namespace only. The problem is patched in BMO releases v0.7.0, v0.6.2 and v0.5.2 and users should upgrade to those versions. Prior upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a workaround, an operator can configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces. | ||||
CVE-2024-41700 | 1 Barix | 2 Sip Client Firmware, Sip Client Web Management Interface Ui | 2024-09-03 | 7.5 High |
Barix – CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2024-7925 | 1 Zzcms | 1 Zzcms | 2024-09-03 | 4.3 Medium |
A vulnerability was found in ZZCMS 2023. It has been rated as problematic. This issue affects some unknown processing of the file 3/E_bak5.1/upload/eginfo.php. The manipulation of the argument phome with the input ShowPHPInfo leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2024-42337 | 1 Cyberark | 1 Identity | 2024-08-30 | 4.3 Medium |
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2024-42338 | 1 Cyberark | 1 Identity | 2024-08-30 | 4.3 Medium |
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2024-42339 | 1 Cyberark | 1 Identity | 2024-08-30 | 4.3 Medium |
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2024-6633 | 1 Fortra | 1 Filecatalyst Workflow | 2024-08-30 | 9.8 Critical |
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB. |