Total
8795 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-7554 | 1 Gitlab | 1 Gitlab | 2024-08-29 | 4.9 Medium |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner. | ||||
CVE-2024-42493 | 1 Dorsettcontrols | 1 Infoscan | 2024-08-29 | 5.3 Medium |
Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login. | ||||
CVE-2024-39287 | 1 Dorsettcontrols | 1 Infoscan | 2024-08-29 | 5.3 Medium |
Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API keys. | ||||
CVE-2024-45043 | 1 Opentelemetry | 1 Opentelemetry Collector Contrib | 2024-08-29 | 5.3 Medium |
The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. `awsfirehosereceiver` allows unauthenticated remote requests, even when configured to require a key. OpenTelemetry Collector can be configured to receive CloudWatch metrics via an AWS Firehose Stream. Firehose sets the header `X-Amz-Firehose-Access-Key` with an arbitrary configured string. The OpenTelemetry Collector awsfirehosereceiver can optionally be configured to require this key on incoming requests. However, when this is configured it **still accepts incoming requests with no key**. Only OpenTelemetry Collector users configured with the “alpha” `awsfirehosereceiver` module are affected. This module was added in version v0.49.0 of the “Contrib” distribution (or may be included in custom builds). There is a risk of unauthorized users writing metrics. Carefully crafted metrics could hide other malicious activity. There is no risk of exfiltrating data. It’s likely these endpoints will be exposed to the public internet, as Firehose does not support private HTTP endpoints. A fix was introduced in PR #34847 and released with v0.108.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2024-6448 | 1 Mollie | 1 Mollie Payments For Woocommerce | 2024-08-28 | 5.3 Medium |
The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. | ||||
CVE-2024-43289 | 1 Gvectors | 1 Wpforo Forum | 2024-08-26 | 7.5 High |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. | ||||
CVE-2024-43283 | 2024-08-26 | 5.3 Medium | ||
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Contest Gallery.This issue affects Contest Gallery: from n/a through 23.1.2. | ||||
CVE-2024-43319 | 2024-08-26 | 4.3 Medium | ||
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in bPlugins LLC Flash & HTML5 Video.This issue affects Flash & HTML5 Video: from n/a through 2.5.31. | ||||
CVE-2024-39344 | 1 Salesforce | 1 Docusign Api Package For Salesforce | 2024-08-26 | 8.1 High |
An issue was discovered in the Docusign API package 8.142.14 for Salesforce. The Apttus_DocuApi__DocusignAuthentication__mdt object is installed via the marketplace from this package and stores some configuration information in a manner that could be compromised. With the default settings when installed for all users, the object can be accessible and (via its fields) could disclose some keys. These disclosed components can be combined to create a valid session via the Docusign API. This will generally lead to a complete compromise of the Docusign account because the session is for an administrator service account and may have permission to re-authenticate as specific users with the same authorization flow. | ||||
CVE-2024-7339 | 3 Artion-sec, Provision-isr, Tvt | 11 Av108t, Dvr Firmware, Dvr Firmware and 8 more | 2024-08-23 | 5.3 Medium |
A vulnerability has been found in TVT DVR TD-2104TS-CL, DVR TD-2108TS-HP, Provision-ISR DVR SH-4050A5-5L(MM) and AVISION DVR AV108T and classified as problematic. This vulnerability affects unknown code of the file /queryDevInfo. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273262 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
CVE-2024-7328 | 1 Youdiancms | 1 Youdiancms | 2024-08-23 | 5.3 Medium |
A vulnerability, which was classified as problematic, has been found in YouDianCMS 7. This issue affects some unknown processing of the file /t.php?action=phpinfo. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273251. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
CVE-2024-8072 | 1 Mage | 1 Mage-ai | 2024-08-22 | 5.3 Medium |
Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users | ||||
CVE-2024-5880 | 2024-08-21 | 4.3 Medium | ||
The Hide My Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 due to the plugin not restricting access to the REST API when password protection is enabled. This makes it possible for unauthenticated attackers to gain unauthorized access to the site. | ||||
CVE-2022-26327 | 2024-08-21 | N/A | ||
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in OpenText Performance Center on Windows allows Retrieve Embedded Sensitive Data.This issue affects Performance Center: 12.63. | ||||
CVE-2024-6568 | 2024-08-21 | 5.3 Medium | ||
The Flamix: Bitrix24 and Contact Form 7 integrations plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.1.0. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
CVE-2024-7842 | 2 Sourcecodester, Tamparongj 03 | 2 Online Graduate Tracer System, Online Graduate Tracer System | 2024-08-21 | 5.3 Medium |
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Graduate Tracer System 1.0. This issue affects some unknown processing of the file /tracking/admin/export_it.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2024-7843 | 2 Sourcecodester, Tamparongj 03 | 2 Online Graduate Tracer System, Online Graduate Tracer System | 2024-08-21 | 5.3 Medium |
A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file /tracking/admin/exportcs.php. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
CVE-2024-41723 | 1 F5 | 21 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 18 more | 2024-08-20 | 4.3 Medium |
Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
CVE-2024-42657 | 1 Nepstech | 2 Ntpl-xpon1gfevn, Ntpl-xpon1gfevn Firmware | 2024-08-20 | 7.5 High |
An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the lack of encryption during login process | ||||
CVE-2024-42658 | 1 Nepstech | 2 Ntpl-xpon1gfevn, Ntpl-xpon1gfevn Firmware | 2024-08-20 | 8.8 High |
An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the cookie's parameter |