Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-0155

Summary
Assigner-@huntrdev
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-10 Jan, 2022 | 19:30
Updated At-02 Aug, 2024 | 23:18
Rejected At-
Credits

Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntrdev
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:10 Jan, 2022 | 19:30
Updated At:02 Aug, 2024 | 23:18
Rejected At:
▼CVE Numbering Authority (CNA)
Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Affected Products
Vendor
follow-redirects
Product
follow-redirects/follow-redirects
Versions
Affected
  • From unspecified before 1.14.7 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-359CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-359
Description: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.08.0HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
x_refsource_CONFIRM
https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
x_refsource_CONFIRM
Hyperlink: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
Resource:
x_refsource_MISC
Hyperlink: https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
x_refsource_CONFIRM
x_transferred
https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
x_refsource_MISC
x_transferred
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
x_refsource_CONFIRM
x_transferred
Hyperlink: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:10 Jan, 2022 | 20:15
Updated At:28 Oct, 2022 | 17:54

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Secondary3.08.0HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.0
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CPE Matches
follow-redirects_project
follow-redirects_project
>>follow-redirects>>Versions before 1.14.7(exclusive)
cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*
Siemens AG
siemens
>>sinec_ins>>Versions before 1.0(exclusive)
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
Siemens AG
siemens
>>sinec_ins>>1.0
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
Siemens AG
siemens
>>sinec_ins>>1.0
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-359Primarysecurity@huntr.dev
CWE ID: CWE-359
Type: Primary
Source: security@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdfsecurity@huntr.dev
Patch
Third Party Advisory
https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22security@huntr.dev
Patch
Third Party Advisory
https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406security@huntr.dev
Exploit
Patch
Third Party Advisory
Hyperlink: https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
Source: security@huntr.dev
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22
Source: security@huntr.dev
Resource:
Patch
Third Party Advisory
Hyperlink: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
Source: security@huntr.dev
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

73Records found
CVE-2021-34321
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.18% / 39.62%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 11:03
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The VisDraw.dll library in affected applications lacks proper validation of user-supplied data when parsing J2K files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13414)

Action-Not Available
Vendor-Siemens AG
Product-jt2goteamcenter_visualizationJT2GoTeamcenter Visualization
CWE ID-CWE-126
Buffer Over-read
CWE ID-CWE-125
Out-of-bounds Read
CVE-2015-5537
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 54.73%
||
7 Day CHG~0.00%
Published-03 Aug, 2015 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

Action-Not Available
Vendor-n/aSiemens AG
Product-ruggedcom_rox_ii_firmwareruggedcom_rugged_operating_systemn/a
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2015-1595
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.88%
||
7 Day CHG~0.00%
Published-07 Mar, 2015 | 02:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Siemens SPCanywhere application for Android and iOS does not use encryption during lookups of system ID to IP address mappings, which allows man-in-the-middle attackers to discover alarm IP addresses and spoof servers by intercepting the client-server data stream.

Action-Not Available
Vendor-n/aSiemens AG
Product-spcanywheren/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-27221
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.9||MEDIUM
EPSS-0.37% / 57.95%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 09:21
Updated-21 Apr, 2025 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack.

Action-Not Available
Vendor-Siemens AG
Product-sinema_remote_connect_serverSINEMA Remote Connect Server
CWE ID-CWE-203
Observable Discrepancy
CVE-2021-34322
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.20% / 42.69%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 11:03
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The JPEG2K_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing J2K files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13416)

Action-Not Available
Vendor-Siemens AG
Product-jt2goteamcenter_visualizationJT2GoTeamcenter Visualization
CWE ID-CWE-126
Buffer Over-read
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-20
Improper Input Validation
CVE-2020-26981
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.06%
||
7 Day CHG~0.00%
Published-12 Jan, 2021 | 20:18
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in JT2Go (All versions < V13.1.0), Teamcenter Visualization (All versions < V13.1.0). When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external dtd. (ZDI-CAN-11890)

Action-Not Available
Vendor-Siemens AG
Product-jt2goteamcenter_visualizationJT2GoTeamcenter Visualization
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2012-3034
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.75%
||
7 Day CHG~0.00%
Published-18 Sep, 2012 | 14:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebNavigator in Siemens WinCC 7.0 SP3 and earlier, as used in SIMATIC PCS7 and other products, allows remote attackers to discover a username and password via crafted parameters to unspecified methods in ActiveX controls.

Action-Not Available
Vendor-n/aSiemens AG
Product-winccsimatic_pcs7n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-15785
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 57.04%
||
7 Day CHG~0.00%
Published-09 Sep, 2020 | 18:11
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Siveillance Video Client (All versions). In environments where Windows NTLM authentication is enabled the affected client application transmits usernames to the server in cleartext. This could allow an attacker in a privileged network position to obtain valid adminstrator login names and use this information to launch further attacks.

Action-Not Available
Vendor-Siemens AG
Product-siveillance_video_clientSiveillance Video Client
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-28168
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.27% / 49.72%
||
7 Day CHG~0.00%
Published-06 Nov, 2020 | 19:22
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Action-Not Available
Vendor-axiosn/aSiemens AG
Product-sinec_insaxiosn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-0536
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-2.6||LOW
EPSS-0.06% / 19.79%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 10:45
Updated-02 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Action-Not Available
Vendor-follow-redirects_projectfollow-redirects
Product-follow-redirectsfollow-redirects/follow-redirects
CWE ID-CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CVE-2021-44008
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.23% / 45.31%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 12:06
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing TIFF files. An attacker could leverage this vulnerability to leak information in the context of the current process.

Action-Not Available
Vendor-Siemens AG
Product-jt2goteamcenter_visualizationJT2GoTeamcenter Visualization
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-41533
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-3.3||LOW
EPSS-0.21% / 43.48%
||
7 Day CHG~0.00%
Published-28 Sep, 2021 | 11:12
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing JT files. An attacker could leverage this vulnerability to leak information in the context of the current process (ZDI-CAN-13565).

Action-Not Available
Vendor-Siemens AG
Product-nx_1988_firmwarenx_1984nx_1984_firmwarenx_1988solid_edgeNX 1980 SeriesSolid Edge SE2021
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-41534
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-3.3||LOW
EPSS-0.21% / 43.48%
||
7 Day CHG~0.00%
Published-28 Sep, 2021 | 11:12
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in NX 1980 Series (All versions < V1984), Solid Edge SE2021 (All versions < SE2021MP8). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing JT files. An attacker could leverage this vulnerability to leak information in the context of the current process (ZDI-CAN-13703).

Action-Not Available
Vendor-Siemens AG
Product-nx_1988_firmwarenx_1984nx_1984_firmwarenx_1988solid_edgeNX 1980 SeriesSolid Edge SE2021
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-27004
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.20% / 41.96%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 15:38
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing of CGM files. This could result in a memory access past the end of an allocated buffer. An attacker could leverage this vulnerability to access data in the context of the current process. (ZDI-CAN-12163)

Action-Not Available
Vendor-Siemens AG
Product-jt2goteamcenter_visualizationJT2GoTeamcenter Visualization
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-27492
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.5||MEDIUM
EPSS-0.70% / 71.06%
||
7 Day CHG~0.00%
Published-27 May, 2021 | 15:41
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When opening a specially crafted 3DXML file, the application containing Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the underlying XML parser without taking proper restrictions such as prohibiting an external DTD.

Action-Not Available
Vendor-luxiondatakitn/aSiemens AG
Product-solid_edge_se2021solid_edge_se2020_firmwarekeyshotsolid_edge_se2021_firmwaresolid_edge_se2020crosscadwareDatakit Software libraries embedded in Luxion KeyShot software
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2021-25158
Matching Score-8
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-8
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.9||MEDIUM
EPSS-7.17% / 91.20%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 01:32
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

Action-Not Available
Vendor-n/aSiemens AGAruba Networks
Product-scalance_w1750d_firmwareinstantscalance_w1750dAruba Instant Access Points
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2021-22897
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.76% / 72.36%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:49
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Action-Not Available
Vendor-n/aNetApp, Inc.Oracle CorporationSplunk LLC (Cisco Systems, Inc.)CURLSiemens AG
Product-communications_cloud_native_core_service_communication_proxyh300ecommunications_cloud_native_core_network_slice_selection_functioncommunications_cloud_native_core_network_function_cloud_native_environmentcloud_backupsolidfire_\&_hci_management_nodeh500sh300s_firmwarecommunications_cloud_native_core_network_repository_functionh410ssolidfire_baseboard_management_controller_firmwarecurlhci_compute_nodeh300suniversal_forwarderh300e_firmwaresinec_infrastructure_network_servicesessbaseh500eh410s_firmwareh700s_firmwareh500s_firmwareh500e_firmwarecommunications_cloud_native_core_binding_support_functionh700esolidfire\,_enterprise_sds_\&_hci_storage_nodehci_compute_node_firmwareh700e_firmwareh700smysql_serverhttps://github.com/curl/curl
CWE ID-CWE-840
Not Available
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-22924
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-3.7||LOW
EPSS-0.63% / 69.37%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 20:16
Updated-09 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Action-Not Available
Vendor-n/aOracle CorporationNetApp, Inc.Fedora ProjectSplunk LLC (Cisco Systems, Inc.)CURLSiemens AGDebian GNU/Linux
Product-scalance_m804pbsimatic_cp_1545-1_firmwarescalance_m826-2simatic_rtu_3041cscalance_m804pb_firmwarescalance_mum856-1_firmwarescalance_m812-1fedoralibcurlsolidfire_\&_hci_management_nodescalance_m874-2simatic_cp_1543-1_firmwaresiplus_net_cp_1543-1_firmwaredebian_linuxcloud_backupsinec_infrastructure_network_servicessimatic_rtu_3041c_firmwarescalance_m876-3simatic_rtu3031c_firmwaresimatic_rtu3031cruggedcomrm_1224_ltescalance_m876-4_firmwarescalance_m876-4scalance_s615simatic_rtu3030cscalance_mum856-1simatic_rtu3010clogo\!_cmr2020logo\!_cmr2040scalance_m826-2_firmwareuniversal_forwarderruggedcomrm_1224_lte_firmwarelogo\!_cmr2020_firmwarescalance_m816-1scalance_m816-1_firmwaremysql_serversinema_remote_connect_serverclustered_data_ontaplogo\!_cmr2040_firmwarescalance_m874-3_firmwaresimatic_cp_1545-1solidfire_baseboard_management_controller_firmwarescalance_s615_firmwarepeoplesoft_enterprise_peopletoolssinema_remote_connectsimatic_cp_1543-1scalance_m874-2_firmwarescalance_m874-3scalance_m812-1_firmwaresimatic_rtu3010c_firmwarescalance_m876-3_firmwaresiplus_net_cp_1543-1simatic_rtu3030c_firmwarehttps://github.com/curl/curl
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-706
Use of Incorrectly-Resolved Name or Reference
CVE-2024-37991
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-6||MEDIUM
EPSS-0.21% / 43.40%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 09:36
Updated-18 Sep, 2024 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The service log files of the affected application can be accessed without proper authentication. This could allow an unauthenticated attacker to get access to sensitive information.

Action-Not Available
Vendor-Siemens AG
Product-simatic_reader_rf650r_fcc_firmwaresimatic_reader_rf680r_cmiitsimatic_rf1170r_firmwaresimatic_reader_rf650r_cmiit_firmwaresimatic_reader_rf685r_fccsimatic_reader_rf650r_aribsimatic_reader_rf615r_etsi_firmwaresimatic_rf360rsimatic_reader_rf680r_fccsimatic_reader_rf610r_fccsimatic_reader_rf610r_etsi_firmwaresimatic_reader_rf685r_arib_firmwaresimatic_reader_rf615r_cmiitsimatic_rf186c_firmwaresimatic_reader_rf685r_fcc_firmwaresimatic_rf188c_firmwaresimatic_reader_rf680r_cmiit_firmwaresimatic_reader_rf685r_etsisimatic_rf185csimatic_rf360r_firmwaresimatic_rf1140r_firmwaresimatic_rf186cisimatic_rf1140rsimatic_rf188csimatic_reader_rf610r_cmiit_firmwaresimatic_reader_rf610r_fcc_firmwaresimatic_rf185c_firmwaresimatic_reader_rf615r_fccsimatic_reader_rf680r_etsisimatic_reader_rf615r_fcc_firmwaresimatic_reader_rf680r_fcc_firmwaresimatic_reader_rf610r_etsisimatic_reader_rf685r_cmiit_firmwaresimatic_reader_rf680r_arib_firmwaresimatic_rf186ci_firmwaresimatic_rf166c_firmwaresimatic_rf188ci_firmwaresimatic_reader_rf650r_fccsimatic_reader_rf650r_cmiitsimatic_reader_rf685r_cmiitsimatic_rf166csimatic_reader_rf680r_aribsimatic_rf1170rsimatic_reader_rf650r_etsisimatic_reader_rf610r_cmiitsimatic_reader_rf650r_arib_firmwaresimatic_reader_rf680r_etsi_firmwaresimatic_reader_rf615r_etsisimatic_reader_rf650r_etsi_firmwaresimatic_rf186csimatic_reader_rf685r_aribsimatic_reader_rf615r_cmiit_firmwaresimatic_reader_rf685r_etsi_firmwaresimatic_rf188ciSIMATIC Reader RF650R ARIBSIMATIC Reader RF650R ETSISIMATIC Reader RF680R CMIITSIMATIC Reader RF615R ETSISIMATIC RF166CSIMATIC Reader RF685R CMIITSIMATIC RF185CSIMATIC Reader RF610R CMIITSIMATIC Reader RF685R ETSISIMATIC Reader RF615R CMIITSIMATIC RF188CISIMATIC Reader RF610R ETSISIMATIC Reader RF685R FCCSIMATIC Reader RF615R FCCSIMATIC RF186CSIMATIC RF360RSIMATIC Reader RF680R ARIBSIMATIC RF1140RSIMATIC Reader RF685R ARIBSIMATIC RF1170RSIMATIC Reader RF680R ETSISIMATIC RF188CSIMATIC Reader RF610R FCCSIMATIC Reader RF650R CMIITSIMATIC RF186CISIMATIC Reader RF680R FCCSIMATIC Reader RF650R FCC
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2024-30321
Matching Score-6
Assigner-Siemens
ShareView Details
Matching Score-6
Assigner-Siemens
CVSS Score-8.2||HIGH
EPSS-0.19% / 41.31%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 12:04
Updated-27 Aug, 2025 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC05), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords.

Action-Not Available
Vendor-Siemens AG
Product-SIMATIC WinCC Runtime Professional V19SIMATIC PCS 7 V9.1SIMATIC WinCC V8.0SIMATIC WinCC Runtime Professional V18SIMATIC WinCC V7.4SIMATIC WinCC V7.5simatic_winccsimatic_pcs_7simatic_wincc_runtime_professional
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2021-22876
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.02%
||
7 Day CHG~0.00%
Published-01 Apr, 2021 | 17:45
Updated-09 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Action-Not Available
Vendor-n/aNetApp, Inc.Fedora ProjectDebian GNU/LinuxOracle CorporationSplunk LLC (Cisco Systems, Inc.)Broadcom Inc.CURLSiemens AG
Product-hci_compute_nodedebian_linuxsinec_infrastructure_network_servicesfabric_operating_systemsolidfireessbasehci_management_nodeuniversal_forwardercommunications_billing_and_revenue_managementfedorahci_storage_nodelibcurlhttps://github.com/curl/curl
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-29987
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 36.96%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 18:59
Updated-03 May, 2025 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2022-24820
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 30.50%
||
7 Day CHG~0.00%
Published-08 Apr, 2022 | 19:25
Updated-22 Apr, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated user can list hidden document from multiple velocity templates

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • Next
Details not found