Total
7971 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30841 | 1 Linuxfoundation | 1 Baremetal Operator | 2023-05-09 | N/A | 5.5 MEDIUM |
| Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241. | |||||
| CVE-2023-30843 | 1 Payloadcms | 1 Payload | 2023-05-05 | N/A | 6.5 MEDIUM |
| Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data. | |||||
| CVE-2023-2281 | 1 Mattermost | 1 Mattermost Server | 2023-05-04 | N/A | 4.3 MEDIUM |
| When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team. | |||||
| CVE-2023-22577 | 1 Home.cern | 2 White Rabbit Switch, White Rabbit Switch Firmware | 2023-05-02 | N/A | 7.5 HIGH |
| Within White Rabbit Switch it's possible as an unauthenticated user to retrieve sensitive information such as password hashes and the SNMP community strings. | |||||
| CVE-2023-30611 | 1 Discourse | 1 Reactions | 2023-05-01 | N/A | 5.3 MEDIUM |
| Discourse-reactions is a plugin that allows user to add their reactions to the post in the Discourse messaging platform. In affected versions data about what reactions were performed on a post in a private topic could be leaked. This issue has been addressed in version 0.3. Users are advised to upgrade. Users unable to upgrade should disable the discourse-reactions plugin to fully mitigate the issue. | |||||
| CVE-2023-22580 | 1 Sequelizejs | 1 Sequelize | 2023-04-28 | N/A | 7.5 HIGH |
| Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. | |||||
| CVE-2023-29517 | 1 Xwiki | 1 Xwiki | 2023-04-28 | N/A | 7.5 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. The problem has been patched in XWiki 13.10.11, 14.10.1, 14.4.8, 15.0-rc-1. Users are advised to upgrade. It might be possible to workaround this vulnerability by running XWiki in a sandbox with a user with very low privileges on the machine. | |||||
| CVE-2023-30540 | 1 Nextcloud | 1 Talk | 2023-04-27 | N/A | 4.3 MEDIUM |
| Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user that was added later to a conversation can use this information to get access to data that was deleted before they were added to the conversation. This issue has been patched in version 15.0.5 and it is recommended that users upgrad to 15.0.5. There are no known workarounds for this issue. | |||||
| CVE-2023-22307 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2023-04-27 | N/A | 5.5 MEDIUM |
| Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files. | |||||
| CVE-2022-41862 | 3 Fedoraproject, Postgresql, Redhat | 6 Fedora, Postgresql, Enterprise Linux and 3 more | 2023-04-27 | N/A | 3.7 LOW |
| In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. | |||||
| CVE-2022-0812 | 1 Linux | 1 Linux Kernel | 2023-04-27 | N/A | 4.3 MEDIUM |
| An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information. | |||||
| CVE-2023-1831 | 1 Mattermost | 1 Mattermost Server | 2023-04-26 | N/A | 7.5 HIGH |
| Mattermost fails to redact from audit logsĀ the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | |||||
| CVE-2014-10026 | 1 Dlink | 2 Dap-1360, Dap-1360 Firmware | 2023-04-26 | 5.0 MEDIUM | N/A |
| index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin. | |||||
| CVE-2015-0152 | 1 Dlink | 2 Dir-815, Dir-815 Firmware | 2023-04-26 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DIR-815 devices with firmware before 2.07.B01 allow remote attackers to obtain sensitive information by leveraging cleartext storage of the administrative password. | |||||
| CVE-2018-10106 | 1 Dlink | 2 Dir-815, Dir-815 Firmware | 2023-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have permission bypass and information disclosure in /htdocs/web/getcfg.php, as demonstrated by a /getcfg.php?a=%0a_POST_SERVICES%3DDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3D1 request. | |||||
| CVE-2018-18441 | 2 D-link, Dlink | 36 Dcs-2102 Firmware, Dcs-2121 Firmware, Dcs-2630l Firmware and 33 more | 2023-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. | |||||
| CVE-2013-7005 | 1 Dlink | 16 Dsr-1000, Dsr-1000 Firmware, Dsr-1000n and 13 more | 2023-04-26 | 4.9 MEDIUM | N/A |
| D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in /tmp/teamf1.cfg.ascii. | |||||
| CVE-2021-21816 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2023-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2012-4046 | 1 Dlink | 2 Dcs-932l, Dcs-932l Firmware | 2023-04-26 | 3.3 LOW | N/A |
| The D-Link DCS-932L camera with firmware 1.02 allows remote attackers to discover the password via a UDP broadcast packet, as demonstrated by running the D-Link Setup Wizard and reading the _paramR["P"] value. | |||||
| CVE-2013-4856 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2023-04-26 | 2.9 LOW | 6.5 MEDIUM |
| D-Link DIR-865L has Information Disclosure. | |||||