Total
7971 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9978 | 1 Osnexus | 1 Quantastor | 2024-02-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on the system by searching for common usernames. | |||||
| CVE-2007-2379 | 2 Jquery, Netapp | 2 Jquery, Snapcenter | 2024-02-14 | 5.0 MEDIUM | N/A |
| The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | |||||
| CVE-2013-7431 | 1 Mapsplugin | 1 Googlemaps | 2024-02-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| Full path disclosure in the Googlemaps plugin before 3.1 for Joomla!. | |||||
| CVE-2009-4529 | 1 Intervations | 1 Navicopa Web Server | 2024-02-14 | 5.0 MEDIUM | N/A |
| InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote attackers to obtain the source code for a web page via a trailing encoded space character in a URI, as demonstrated by /index.html%20 and /index.php%20 URIs. | |||||
| CVE-1999-1136 | 1 Hp | 2 Hp-ux, Mpe Ix | 2024-02-14 | 4.6 MEDIUM | N/A |
| Vulnerability in Predictive on HP-UX 11.0 and earlier, and MPE/iX 5.5 and earlier, allows attackers to compromise data transfer for Predictive messages (using e-mail or modem) between customer and Response Center Predictive systems. | |||||
| CVE-2016-1337 | 1 Cisco | 2 Epc3928, Epc3928 Firmware | 2024-02-14 | 4.3 MEDIUM | 8.1 HIGH |
| Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178. | |||||
| CVE-2017-16894 | 1 Laravel | 1 Laravel | 2024-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework. | |||||
| CVE-2006-1677 | 1 Maxdev | 1 Md-pro | 2024-02-14 | 6.4 MEDIUM | N/A |
| MAXdev MDPro 1.0.73 and 1.0.72, and possibly other versions before 1.076, allows remote attackers to obtain the full path of the server via a direct request to includes/legacy.php. | |||||
| CVE-2024-22331 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2024-02-13 | N/A | 5.5 MEDIUM |
| IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.19, 7.1 through 7.1.2.15, 7.2 through 7.2.3.8, 7.3 through 7.3.2.3, and IBM UrbanCode Deploy (UCD) - IBM DevOps Deploy 8.0.0.0 could disclose sensitive user information when installing the Windows agent. IBM X-Force ID: 279971. | |||||
| CVE-2024-24740 | 2024-02-13 | N/A | 5.3 MEDIUM | ||
| SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application. | |||||
| CVE-2023-33851 | 1 Ibm | 1 Powervm Hypervisor | 2024-02-12 | N/A | 4.9 MEDIUM |
| IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1020.00 through FW1020.40, and FW1030.00 through FW1030.30 could reveal sensitive partition data to a system administrator. IBM X-Force ID: 257135. | |||||
| CVE-2024-24757 | 1 Degamisu | 1 Open-irs | 2024-02-10 | N/A | 9.8 CRITICAL |
| open-irs is an issue response robot that reponds to issues in the installed repository. The `.env` file was accidentally uploaded when working with git actions. This problem is fixed in 1.0.1. Discontinuing all sensitive keys and turning into secrets. | |||||
| CVE-2024-22421 | 2 Fedoraproject, Jupyter | 3 Fedora, Jupyterlab, Notebook | 2024-02-10 | N/A | 6.5 MEDIUM |
| JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix. | |||||
| CVE-2024-24755 | 1 Discourse | 1 Group Membership Ip Blocks | 2024-02-09 | N/A | 5.3 MEDIUM |
| discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret. | |||||
| CVE-2023-44312 | 1 Apache | 1 Servicecomb | 2024-02-08 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center.This issue affects Apache ServiceComb Service-Center before 2.1.0 (include). Users are recommended to upgrade to version 2.2.0, which fixes the issue. | |||||
| CVE-2024-22200 | 1 Vantage6 | 1 Vantage6-ui | 2024-02-08 | N/A | 5.3 MEDIUM |
| vantage6-UI is the User Interface for vantage6. The docker image used to run the UI leaks the nginx version. To mitigate the vulnerability, users can run the UI as an angular application. This vulnerability was patched in 4.2.0. | |||||
| CVE-2022-29901 | 5 Debian, Fedoraproject, Intel and 2 more | 254 Debian Linux, Fedora, Core I3-6100 and 251 more | 2024-02-04 | 1.9 LOW | 6.5 MEDIUM |
| Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. | |||||
| CVE-2024-23649 | 1 Join-lemmy | 1 Lemmy | 2024-02-02 | N/A | 6.5 MEDIUM |
| Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports. Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported: Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance. Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied. | |||||
| CVE-2023-48714 | 1 Silverstripe | 1 Framework | 2024-02-02 | N/A | 4.3 MEDIUM |
| Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue. | |||||
| CVE-2023-40058 | 1 Solarwinds | 1 Access Rights Manager | 2024-02-02 | N/A | 6.5 MEDIUM |
| Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. | |||||