Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-34477

Summary
Assigner-mozilla
Assigner Org ID-f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At-22 Dec, 2022 | 00:00
Updated At-15 Apr, 2025 | 18:16
Rejected At-
Credits

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mozilla
Assigner Org ID:f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At:22 Dec, 2022 | 00:00
Updated At:15 Apr, 2025 | 18:16
Rejected At:
▼CVE Numbering Authority (CNA)

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.

Affected Products
Vendor
Mozilla CorporationMozilla
Product
Firefox
Versions
Affected
  • From unspecified before 102 (custom)
Problem Types
TypeCWE IDDescription
textN/AMediaError message property leaked information on cross-origin same-site pages
Type: text
CWE ID: N/A
Description: MediaError message property leaked information on cross-origin same-site pages
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.mozilla.org/security/advisories/mfsa2022-24/
N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
N/A
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2022-24/
Resource: N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.mozilla.org/security/advisories/mfsa2022-24/
x_transferred
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
x_transferred
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2022-24/
Resource:
x_transferred
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-203CWE-203 Observable Discrepancy
Type: CWE
CWE ID: CWE-203
Description: CWE-203 Observable Discrepancy
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
exploit
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@mozilla.org
Published At:22 Dec, 2022 | 20:15
Updated At:15 Apr, 2025 | 19:16

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 102.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Mozilla Corporation
mozilla
>>firefox>>Versions before 102.0(exclusive)
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-203Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-203
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614security@mozilla.org
Issue Tracking
Permissions Required
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-24/security@mozilla.org
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Permissions Required
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-24/af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1731614134c704f-9b21-4f2e-91b3-4a467353bcc0
Issue Tracking
Permissions Required
Vendor Advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Source: security@mozilla.org
Resource:
Issue Tracking
Permissions Required
Vendor Advisory
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2022-24/
Source: security@mozilla.org
Resource:
Vendor Advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Permissions Required
Vendor Advisory
Hyperlink: https://www.mozilla.org/security/advisories/mfsa2022-24/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1731614
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Issue Tracking
Permissions Required
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

107Records found
CVE-2024-10463
Matching Score-10
Assigner-Mozilla Corporation
ShareView Details
Matching Score-10
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.11%
||
7 Day CHG+0.03%
Published-29 Oct, 2024 | 12:19
Updated-04 Nov, 2024 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxFirefox ESRThunderbirdfirefoxthunderbirdfirefox_esr
CWE ID-CWE-203
Observable Discrepancy
CVE-2025-5270
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.02% / 3.17%
||
7 Day CHG~0.00%
Published-27 May, 2025 | 12:29
Updated-11 Jun, 2025 | 12:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefoxThunderbird
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2024-11702
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.16% / 37.73%
||
7 Day CHG+0.02%
Published-26 Nov, 2024 | 13:33
Updated-05 Apr, 2025 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. This vulnerability affects Firefox < 133 and Thunderbird < 133.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxFirefoxThunderbirdfirefoxthunderbird
CWE ID-CWE-838
Inappropriate Encoding for Output Context
CVE-2025-4918
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.83%
||
7 Day CHG~0.00%
Published-17 May, 2025 | 21:07
Updated-28 May, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefoxFirefox ESR
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-10458
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.08%
||
7 Day CHG+0.03%
Published-29 Oct, 2024 | 12:19
Updated-31 Oct, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxFirefox ESRThunderbird
CWE ID-CWE-281
Improper Preservation of Permissions
CVE-2025-3875
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 13.58%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 16:56
Updated-05 Jun, 2025 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdThunderbird
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2021-29950
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.38%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 13:18
Updated-03 Aug, 2024 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdThunderbird
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2014-1505
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.54% / 66.69%
||
7 Day CHG~0.00%
Published-19 Mar, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SVG filter implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to obtain sensitive displacement-correlation information, and possibly bypass the Same Origin Policy and read text from a different domain, via a timing attack involving feDisplacementMap elements, a related issue to CVE-2013-1693.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSESUSERed Hat, Inc.Debian GNU/LinuxNovellCanonical Ltd.
Product-enterprise_linux_serverenterprise_linux_eusfirefoxenterprise_linux_server_eusthunderbirdsuse_linux_enterprise_desktopdebian_linuxenterprise_linux_server_ausseamonkeyfirefox_esrubuntu_linuxenterprise_linux_desktopopensusesuse_linux_enterprise_serverenterprise_linux_server_tusenterprise_linux_workstationsuse_linux_enterprise_software_development_kitn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2014-1487
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.50% / 64.94%
||
7 Day CHG~0.00%
Published-06 Feb, 2014 | 02:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to bypass the Same Origin Policy and obtain sensitive authentication information via vectors involving error messages.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSESUSERed Hat, Inc.Fedora ProjectDebian GNU/LinuxCanonical Ltd.
Product-enterprise_linux_serverenterprise_linux_eusfirefoxenterprise_linux_server_eusthunderbirdsuse_linux_enterprise_desktopdebian_linuxenterprise_linux_server_ausfedoraseamonkeyfirefox_esropensuseubuntu_linuxenterprise_linux_desktopsuse_linux_enterprise_serverenterprise_linux_server_tusenterprise_linux_workstationsuse_linux_enterprise_software_development_kitn/a
CWE ID-CWE-346
Origin Validation Error
CVE-2024-9393
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.14% / 34.69%
||
7 Day CHG~0.00%
Published-01 Oct, 2024 | 15:13
Updated-14 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxfirefox_esrFirefoxThunderbirdFirefox ESR
CWE ID-CWE-346
Origin Validation Error
CVE-2024-9394
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 41.32%
||
7 Day CHG~0.00%
Published-01 Oct, 2024 | 15:13
Updated-14 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.

Action-Not Available
Vendor-Mozilla Corporation
Product-thunderbirdfirefoxfirefox_esrFirefoxThunderbirdFirefox ESR
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7526
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.28%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 12:38
Updated-17 Sep, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ANGLE failed to initialize parameters which lead to reading from uninitialized memory. This could be leveraged to leak sensitive data from memory. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbirdfirefoxthunderbirdfirefox_esr
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2024-5694
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.42% / 60.82%
||
7 Day CHG+0.01%
Published-11 Jun, 2024 | 12:40
Updated-14 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vulnerability affects Firefox < 127.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-416
Use After Free
CVE-2020-6809
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.35% / 56.76%
||
7 Day CHG~0.00%
Published-25 Mar, 2020 | 21:13
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When a Web Extension had the all-urls permission and made a fetch request with a mode set to 'same-origin', it was possible for the Web Extension to read local files. This vulnerability affects Firefox < 74.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CVE-2020-6830
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.65%
||
7 Day CHG~0.00%
Published-26 May, 2020 | 17:06
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox for iOS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-47131
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.35%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 00:00
Updated-19 Aug, 2024 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.

Action-Not Available
Vendor-n-ablen/an-ableMozilla CorporationGoogle LLCMicrosoft Corporation
Product-chromefirefoxpassportaledgen/apassportal
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2020-12398
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 47.65%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:45
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-ubuntu_linuxthunderbirdThunderbird
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2016-9079
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-84.96% / 99.30%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-07-13||Apply updates per vendor instructions.

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.

Action-Not Available
Vendor-torprojectMozilla CorporationMicrosoft CorporationRed Hat, Inc.Debian GNU/Linux
Product-enterprise_linux_desktopenterprise_linux_servertorenterprise_linuxthunderbirddebian_linuxenterprise_linux_server_ausfirefoxenterprise_linux_server_eusenterprise_linux_workstationwindowsFirefoxThunderbirdFirefox ESRFirefox, Firefox ESR, and Thunderbird
CWE ID-CWE-416
Use After Free
CVE-2019-11723
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.52%
||
7 Day CHG+0.08%
Published-23 Jul, 2019 | 13:17
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension. This vulnerability affects Firefox < 68.

Action-Not Available
Vendor-openSUSEMozilla Corporation
Product-firefoxleapFirefox
CWE ID-CWE-346
Origin Validation Error
CVE-2020-6821
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-0.54% / 66.62%
||
7 Day CHG~0.00%
Published-24 Apr, 2020 | 15:55
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When reading from areas partially or fully outside the source resource with WebGL's <code>copyTexSubImage</code> method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2022-45403
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.43%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-6135
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.49%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 13:38
Updated-13 Feb, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-5388
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 39.72%
||
7 Day CHG~0.00%
Published-19 Mar, 2024 | 12:02
Updated-09 Jun, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Action-Not Available
Vendor-Debian GNU/LinuxMozilla Corporation
Product-debian_linuxthunderbirdfirefoxFirefox ESRFirefoxThunderbird
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-45416
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 32.07%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-5722
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 44.01%
||
7 Day CHG-0.01%
Published-24 Oct, 2023 | 12:47
Updated-13 Feb, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-12402
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 5.25%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:53
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.

Action-Not Available
Vendor-Debian GNU/LinuxopenSUSEFedora ProjectMozilla Corporation
Product-firefoxdebian_linuxfedoraleapFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-4421
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.27%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 17:02
Updated-02 Aug, 2024 | 07:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected ciphertexts, the attacker would be able to decrypt a previously intercepted PKCS#1 v1.5 ciphertext (for example, to decrypt a TLS session that used RSA key exchange), or forge a signature using the victim's key. The issue was fixed by implementing the implicit rejection algorithm, in which the NSS returns a deterministic random message in case invalid padding is detected, as proposed in the Marvin Attack paper. This vulnerability affects NSS < 3.61.

Action-Not Available
Vendor-Mozilla Corporation
Product-nssNSS
CWE ID-CWE-203
Observable Discrepancy
CVE-2013-1620
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.59% / 68.28%
||
7 Day CHG~0.00%
Published-08 Feb, 2013 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Action-Not Available
Vendor-n/aMozilla CorporationRed Hat, Inc.Oracle CorporationCanonical Ltd.
Product-iplanet_web_proxy_serveropenssoenterprise_linux_serverenterprise_linux_server_ausiplanet_web_servertraffic_directorenterprise_linux_eusenterprise_manager_ops_centerubuntu_linuxenterprise_linux_desktopglassfish_communications_servervm_serverenterprise_linux_workstationnetwork_security_servicesglassfish_servern/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-9398
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.04% / 76.54%
||
7 Day CHG~0.00%
Published-01 Oct, 2024 | 15:13
Updated-18 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-5690
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-4.02% / 88.01%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 12:40
Updated-26 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

Action-Not Available
Vendor-Debian GNU/LinuxMozilla Corporation
Product-firefoxdebian_linuxfirefox_esrthunderbirdThunderbirdFirefoxFirefox ESR
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-31742
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 39.65%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-25741
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.62%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 00:00
Updated-09 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox < 110.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-25728
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.78%
||
7 Day CHG~0.00%
Published-02 Jun, 2023 | 00:00
Updated-10 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefoxFirefox ESR
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-26382
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.70%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-16 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-12399
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.10% / 28.54%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 14:52
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Action-Not Available
Vendor-Debian GNU/LinuxMozilla Corporation
Product-firefoxthunderbirddebian_linuxfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-12400
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.06% / 19.15%
||
7 Day CHG~0.00%
Published-08 Oct, 2020 | 00:00
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefoxFirefox for Android
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-12413
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.12% / 32.27%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 00:00
Updated-19 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxfirefox_esrFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-12401
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-4.7||MEDIUM
EPSS-0.07% / 20.81%
||
7 Day CHG~0.00%
Published-08 Oct, 2020 | 00:00
Updated-04 Aug, 2024 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefoxFirefox for Android
CWE ID-CWE-203
Observable Discrepancy
CVE-2019-9815
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-8.1||HIGH
EPSS-1.02% / 76.29%
||
7 Day CHG~0.00%
Published-23 Jul, 2019 | 13:24
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.*. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.

Action-Not Available
Vendor-Mozilla CorporationApple Inc.
Product-firefoxthunderbirdmacosfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2019-11743
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-3.7||LOW
EPSS-0.99% / 75.91%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 17:17
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side-channel attacks. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-5697
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 45.11%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 12:40
Updated-13 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. This vulnerability affects Firefox < 127.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxFirefox
CWE ID-CWE-203
Observable Discrepancy
CVE-2023-1707
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-7.5||HIGH
EPSS-0.41% / 60.26%
||
7 Day CHG~0.00%
Published-13 Jun, 2023 | 17:06
Updated-03 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to information disclosure when IPsec is enabled with FutureSmart version 5.6.

Action-Not Available
Vendor-HP Inc.
Product-color_laserjet_managed_mfp_e78625_5qj90alaserjet_managed_flow_mfp_e73140_6bs58acolor_laserjet_managed_mfp_e786_3sj13alaserjet_managed_mfp_e73140_6bs57acolor_laserjet_enterprise_6700_49l00alaserjet_managed_e82670_3sj07acolor_laserjet_managed_flow_e87750_5qk20acolor_laserjet_managed_flow_mfp_e78625_5qj90alaserjet_managed_flow_mfp_e73130_5qk02acolor_laserjet_managed_flow_e87750_3sj37acolor_laserjet_managed_flow_mfp_e78630_3sj12acolor_laserjet_managed_mfp_e78630_5qj90alaserjet_enterprise_mfp_m430_3pz55acolor_laserjet_managed_mfp_e87760_3sj22acolor_laserjet_managed_flow_e87740_3sj19alaserjet_managed_mfp_e826dn_5qk13acolor_laserjet_managed_mfp_e87740_3sj38alaserjet_managed_mfp_e42540_3pz75acolor_laserjet_managed_mfp_e78625_3sj32alaserjet_managed_flow_mfp_e826z_3sj29alaserjet_managed_mfp_e73140_3sj00acolor_laserjet_managed_flow_e87770_5qk03alaserjet_managed_mfp_e73135_6bs58acolor_laserjet_managed_flow_e87760_3sj38acolor_laserjet_enterprise_flow_mfp_6800_6qn37acolor_laserjet_enterprise_6700_4y280alaserjet_managed_flow_mfp_e826z_5qk09alaserjet_managed_e40040_3pz35acolor_laserjet_managed_flow_e87760_3sj20acolor_laserjet_managed_flow_e87760_3sj19alaserjet_managed_e82650_3sj09acolor_laserjet_managed_mfp_e78625_3sj12acolor_laserjet_managed_mfp_e87750_3sj22acolor_laserjet_managed_mfp_e87740_3sj21acolor_laserjet_enterprise_5700_6qn28alaserjet_enterprise_mfp_m431_3pz56acolor_laserjet_managed_flow_mfp_e78630_5qk18alaserjet_managed_e82670_3sj28acolor_laserjet_managed_mfp_e87750_5qk03acolor_laserjet_enterprise_flow_mfp_6800_4y279acolor_laserjet_managed_mfp_e87750_3sj36acolor_laserjet_managed_flow_e87770_3sj38acolor_laserjet_managed_mfp_e87750_3sj21acolor_laserjet_managed_flow_e87750_5qk03acolor_laserjet_managed_flow_e87740_3sj36acolor_laserjet_managed_mfp_e87760_5qk20acolor_laserjet_managed_flow_e87760_3sj21alaserjet_managed_flow_mfp_e73135_5qj98acolor_laserjet_managed_mfp_e87770_5qk20alaserjet_managed_flow_mfp_e73130_3sj02alaserjet_managed_mfp_e826dn_3sj09acolor_laserjet_enterprise_mfp_6800_6qn35alaserjet_managed_e82660_3sj09alaserjet_managed_mfp_e73130_6bs57acolor_laserjet_managed_mfp_e78635_3sj32acolor_laserjet_enterprise_x55745_6qp97acolor_laserjet_managed_mfp_e78528_5qj81acolor_laserjet_enterprise_mfp_x57945_6qp98acolor_laserjet_enterprise_mfp_6800_6qn36alaserjet_managed_flow_mfp_e826z_3sj09acolor_laserjet_managed_mfp_e87770_3sj21acolor_laserjet_managed_flow_e87760_3sj35acolor_laserjet_managed_mfp_e87760_3sj37acolor_laserjet_enterprise_6701_4y280acolor_laserjet_managed_mfp_e786_3sj12acolor_laserjet_managed_mfp_e78625_5qj94acolor_laserjet_managed_flow_mfp_e78630_3sj34acolor_laserjet_managed_mfp_e87740_3sj37acolor_laserjet_enterprise_flow_mfp_5800_49k96avcolor_laserjet_managed_mfp_e87770_3sj19acolor_laserjet_managed_mfp_e78630_3sj33alaserjet_managed_mfp_e826dn_3sj29acolor_laserjet_managed_mfp_e786_5qj90acolor_laserjet_managed_mfp_e78635_5qj90acolor_laserjet_managed_flow_mfp_e786_5qj90acolor_laserjet_enterprise_flow_mfp_x57945_6qp99acolor_laserjet_managed_flow_e87760_3sj37acolor_laserjet_managed_mfp_e87740_5qk03acolor_laserjet_enterprise_mfp_5800_6qn29acolor_laserjet_managed_flow_e87740_3sj35acolor_laserjet_managed_mfp_e78625_5qk18acolor_laserjet_managed_flow_mfp_e786_3sj12alaserjet_managed_mfp_e73025_3sj03alaserjet_managed_mfp_e73030_3sj04acolor_laserjet_enterprise_mfp_x57945_49k97avcolor_laserjet_managed_mfp_e78625_3sj34acolor_laserjet_enterprise_6700_6qn33acolor_laserjet_managed_flow_e87770_3sj21acolor_laserjet_managed_flow_mfp_e786_3sj32acolor_laserjet_managed_mfp_e78625_3sj11alaserjet_managed_mfp_e73130_5qk02acolor_laserjet_managed_mfp_e87770_3sj36acolor_laserjet_managed_flow_e87750_3sj36acolor_laserjet_managed_mfp_e78635_3sj33acolor_laserjet_managed_mfp_e78635_5qk18alaserjet_managed_mfp_e73135_3sj01acolor_laserjet_managed_mfp_e87760_3sj20alaserjet_managed_e82670_5qk13acolor_laserjet_managed_flow_mfp_e786_5qk18acolor_laserjet_managed_flow_e87750_3sj20acolor_laserjet_managed_flow_mfp_e786_3sj11acolor_laserjet_managed_flow_e87740_3sj22acolor_laserjet_enterprise_mfp_6800_4y279acolor_laserjet_managed_flow_e87770_3sj35acolor_laserjet_enterprise_flow_mfp_5800_6qn29acolor_laserjet_managed_mfp_e78630_3sj11acolor_laserjet_managed_flow_mfp_e78625_3sj12acolor_laserjet_managed_flow_mfp_e78625_3sj32alaserjet_managed_e82660_3sj29acolor_laserjet_managed_mfp_e78625_3sj33alaserjet_managed_e82650_3sj08acolor_laserjet_managed_mfp_e87760_3sj21alaserjet_managed_e82670_3sj08alaserjet_managed_mfp_e73140_5qj98alaserjet_managed_e82660_5qk13alaserjet_managed_flow_mfp_e73135_3sj01acolor_laserjet_managed_flow_e87740_5qk20acolor_laserjet_managed_flow_mfp_e78635_3sj12alaserjet_managed_mfp_e73130_5qj98alaserjet_managed_mfp_e73135_3sj02alaserjet_managed_mfp_e73030_3sj03acolor_laserjet_managed_mfp_e87770_3sj38acolor_laserjet_managed_flow_e87740_3sj38acolor_laserjet_enterprise_flow_mfp_5800_6qn30acolor_laserjet_managed_mfp_e78523_5qj83alaserjet_managed_flow_mfp_e826z_3sj07alaserjet_managed_flow_mfp_e73140_6bs59alaserjet_managed_flow_mfp_e826z_3sj30alaserjet_managed_mfp_e826dn_3sj08acolor_laserjet_enterprise_flow_mfp_x57945_49k97avcolor_laserjet_managed_flow_mfp_e78630_3sj32acolor_laserjet_managed_mfp_e78528_5qk15alaserjet_managed_e82650_3sj28acolor_laserjet_managed_mfp_e87740_3sj22alaserjet_managed_mfp_e73135_5qj98acolor_laserjet_managed_flow_e87740_3sj37acolor_laserjet_managed_flow_mfp_e78635_3sj32acolor_laserjet_managed_flow_e87770_3sj22acolor_laserjet_enterprise_flow_mfp_6800_6qn35acolor_laserjet_managed_flow_mfp_e78635_3sj13acolor_laserjet_managed_mfp_e78625_3sj13acolor_laserjet_enterprise_mfp_6800_6qn38acolor_laserjet_enterprise_flow_mfp_5800_58r10acolor_laserjet_managed_flow_mfp_e78635_5qk18acolor_laserjet_managed_flow_e87750_3sj21alaserjet_managed_mfp_e73140_6bs59alaserjet_managed_mfp_e73135_5qk02acolor_laserjet_managed_mfp_e786_5qj94acolor_laserjet_managed_mfp_e87770_3sj37alaserjet_managed_e82670_3sj29acolor_laserjet_managed_mfp_e87740_3sj36alaserjet_managed_e82650_3sj30acolor_laserjet_managed_flow_mfp_e78635_5qj90acolor_laserjet_managed_mfp_e786_3sj33acolor_laserjet_managed_mfp_e78635_3sj13acolor_laserjet_managed_mfp_e78523_5qj81acolor_laserjet_enterprise_flow_mfp_x57945_6qp98acolor_laserjet_managed_mfp_e78630_5qk18alaserjet_enterprise_m407_3pz16acolor_laserjet_managed_mfp_e87740_3sj35acolor_laserjet_enterprise_6701_6qn33acolor_laserjet_enterprise_mfp_5800_6qn30acolor_laserjet_enterprise_flow_mfp_6800_6qn36alaserjet_managed_flow_mfp_e73130_6bs59alaserjet_managed_flow_mfp_e73135_3sj00alaserjet_managed_flow_mfp_e73130_6bs57alaserjet_managed_e82670_3sj09alaserjet_managed_flow_mfp_e73135_3sj02alaserjet_managed_mfp_e73130_3sj01alaserjet_managed_flow_mfp_e73135_5qk02acolor_laserjet_managed_mfp_e87760_3sj35acolor_laserjet_managed_flow_mfp_e78625_3sj11acolor_laserjet_managed_mfp_e786_3sj32acolor_laserjet_managed_flow_e87770_3sj19alaserjet_managed_e82660_3sj28acolor_laserjet_enterprise_flow_mfp_5800_6qn31alaserjet_managed_flow_mfp_e73135_6bs59acolor_laserjet_managed_flow_mfp_e78625_5qj94alaserjet_managed_flow_mfp_e73140_6bs57acolor_laserjet_managed_flow_mfp_e786_5qj94alaserjet_managed_e82650_5qk09acolor_laserjet_enterprise_6701_49l00acolor_laserjet_managed_mfp_e78523_5qk15alaserjet_managed_e82660_3sj08acolor_laserjet_managed_flow_mfp_e78635_5qj94alaserjet_managed_mfp_e73140_3sj01acolor_laserjet_managed_mfp_e87750_3sj35alaserjet_managed_flow_mfp_e73030_3sj03acolor_laserjet_managed_mfp_e87750_3sj37acolor_laserjet_managed_flow_e87770_3sj36acolor_laserjet_enterprise_flow_mfp_6800_6qn38acolor_laserjet_managed_flow_e87770_3sj20acolor_laserjet_managed_flow_e87770_3sj37acolor_laserjet_managed_mfp_e78635_3sj11acolor_laserjet_managed_mfp_e87740_3sj19acolor_laserjet_managed_flow_e87740_3sj21alaserjet_managed_mfp_e826dn_5qk09acolor_laserjet_managed_mfp_e87750_5qk20acolor_laserjet_managed_mfp_e87750_5qk08acolor_laserjet_managed_mfp_e87750_3sj38acolor_laserjet_enterprise_mfp_5800_49k96avlaserjet_managed_flow_mfp_e73130_3sj00acolor_laserjet_enterprise_5700_49k98alaserjet_managed_mfp_e826dn_3sj30acolor_laserjet_enterprise_6701_58m42acolor_laserjet_managed_flow_e87740_5qk03acolor_laserjet_managed_mfp_e78630_3sj13acolor_laserjet_managed_mfp_e87740_5qk08alaserjet_managed_mfp_e73135_3sj00alaserjet_managed_flow_mfp_e73135_6bs58afuturesmart_5color_laserjet_managed_flow_e87760_3sj22alaserjet_managed_mfp_e73135_6bs57acolor_laserjet_managed_flow_mfp_e78630_3sj33acolor_laserjet_managed_mfp_e785dn_5qk15acolor_laserjet_managed_flow_e87770_5qk20acolor_laserjet_managed_flow_e87760_5qk20acolor_laserjet_managed_mfp_e87760_3sj19acolor_laserjet_managed_mfp_e78630_5qj94acolor_laserjet_enterprise_m455_3pz95alaserjet_managed_flow_mfp_e73130_3sj01acolor_laserjet_managed_mfp_e87770_3sj22alaserjet_managed_flow_mfp_e826z_5qk13acolor_laserjet_managed_mfp_e786_5qk18acolor_laserjet_managed_mfp_e87770_3sj35alaserjet_enterprise_m406_3pz15alaserjet_managed_mfp_e73130_3sj02acolor_laserjet_managed_flow_mfp_e78630_5qj94acolor_laserjet_enterprise_mfp_m480_3qa55acolor_laserjet_managed_mfp_e785dn_5qj83acolor_laserjet_enterprise_flow_mfp_6800_49k84acolor_laserjet_managed_flow_mfp_e786_3sj13acolor_laserjet_managed_flow_mfp_e78635_3sj11acolor_laserjet_managed_mfp_e87760_3sj38alaserjet_managed_flow_mfp_e826z_3sj08alaserjet_managed_e82660_3sj30acolor_laserjet_managed_flow_mfp_e78625_3sj33alaserjet_managed_mfp_e826dn_3sj07acolor_laserjet_managed_flow_mfp_e78635_3sj33acolor_laserjet_managed_mfp_e78630_3sj32acolor_laserjet_enterprise_mfp_x57945_6qp99alaserjet_managed_mfp_e73025_5qj87acolor_laserjet_managed_mfp_e786_3sj11alaserjet_managed_flow_mfp_e73140_3sj02acolor_laserjet_enterprise_mfp_5800_58r10alaserjet_managed_mfp_e73025_3sj04acolor_laserjet_managed_e45028_3qa35alaserjet_managed_flow_mfp_e73130_6bs58alaserjet_managed_e82660_5qk09alaserjet_managed_mfp_e73130_6bs59acolor_laserjet_enterprise_mfp_6800_49k84acolor_laserjet_managed_flow_mfp_e786_3sj33acolor_laserjet_managed_mfp_e78635_3sj12alaserjet_managed_flow_mfp_e73140_5qk02alaserjet_managed_mfp_e73130_3sj00acolor_laserjet_managed_mfp_e78635_3sj34alaserjet_managed_flow_mfp_e826z_3sj28alaserjet_managed_e82670_3sj30alaserjet_managed_e82650_3sj07alaserjet_managed_flow_mfp_e73030_5qj87acolor_laserjet_managed_mfp_e78528_5qj83acolor_laserjet_managed_flow_e87760_3sj36alaserjet_managed_flow_mfp_e73140_5qj98acolor_laserjet_managed_flow_e87760_5qk03acolor_laserjet_managed_flow_mfp_e78625_3sj34acolor_laserjet_managed_mfp_e87760_5qk08alaserjet_managed_flow_mfp_e73130_5qj98acolor_laserjet_managed_flow_mfp_e78630_3sj13acolor_laserjet_managed_flow_mfp_e78630_3sj11alaserjet_managed_mfp_e73140_6bs58acolor_laserjet_managed_flow_e87740_3sj20acolor_laserjet_managed_flow_e87750_3sj19acolor_laserjet_enterprise_x55745_49k99acolor_laserjet_managed_mfp_e87760_3sj36acolor_laserjet_managed_flow_e87750_3sj22acolor_laserjet_managed_mfp_e78630_3sj12acolor_laserjet_managed_flow_mfp_e78625_5qk18acolor_laserjet_managed_flow_mfp_e78635_3sj34alaserjet_managed_flow_mfp_e73140_3sj00acolor_laserjet_managed_flow_e87750_3sj38acolor_laserjet_managed_flow_e87740_5qk08acolor_laserjet_managed_mfp_e785dn_5qj81alaserjet_managed_e82650_3sj29acolor_laserjet_managed_mfp_e87770_3sj20acolor_laserjet_managed_flow_e87750_3sj35acolor_laserjet_managed_mfp_e87750_3sj19alaserjet_managed_e82650_5qk13acolor_laserjet_managed_mfp_e87770_5qk08alaserjet_managed_flow_mfp_e73135_6bs57acolor_laserjet_managed_mfp_e78635_5qj94acolor_laserjet_managed_flow_mfp_e786_3sj34acolor_laserjet_managed_mfp_e87740_5qk20alaserjet_managed_mfp_e73140_3sj02acolor_laserjet_managed_mfp_e87750_3sj20acolor_laserjet_managed_mfp_e47528_3qa75alaserjet_managed_e82670_5qk09acolor_laserjet_managed_mfp_e78630_3sj34alaserjet_managed_mfp_e73140_5qk02acolor_laserjet_managed_flow_mfp_e78625_3sj13alaserjet_managed_mfp_e826dn_3sj28alaserjet_managed_e82660_3sj07acolor_laserjet_managed_mfp_e87770_5qk03acolor_laserjet_managed_mfp_e87760_5qk03acolor_laserjet_managed_flow_e87770_5qk08alaserjet_managed_flow_mfp_e73140_3sj01alaserjet_managed_flow_mfp_e73030_3sj04acolor_laserjet_managed_flow_mfp_e78630_5qj90acolor_laserjet_enterprise_mfp_6800_6qn37acolor_laserjet_managed_flow_e87760_5qk08alaserjet_managed_mfp_e73135_6bs59alaserjet_managed_mfp_e73030_5qj87alaserjet_managed_mfp_e73130_6bs58acolor_laserjet_managed_mfp_e786_3sj34acolor_laserjet_enterprise_6700_58m42acolor_laserjet_managed_mfp_e87740_3sj20acolor_laserjet_managed_flow_e87750_5qk08acolor_laserjet_enterprise_mfp_5800_6qn31aHP Enterprise LaserJet and HP LaserJet Managed Printers
CWE ID-CWE-203
Observable Discrepancy
CVE-2010-10006
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-2.6||LOW
EPSS-0.12% / 31.14%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 23:58
Updated-03 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
michaelliao jopenid OpenIdManager.java getAuthentication timing discrepancy

A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.08 is able to address this issue. The name of the patch is c9baaa976b684637f0d5a50268e91846a7a719ab. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218460.

Action-Not Available
Vendor-jopenid_projectmichaelliao
Product-jopenidjopenid
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2024-24766
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.36% / 57.18%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 18:10
Updated-28 May, 2025 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CasaOS Username Enumeration

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.

Action-Not Available
Vendor-icewhaleIceWhaleTechicewhaletech
Product-casaos-userserviceCasaOS-UserServicecasaos-userservice
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-204
Observable Response Discrepancy
CVE-2022-48251
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 30.82%
||
7 Day CHG~0.00%
Published-10 Jan, 2023 | 00:00
Updated-03 Aug, 2024 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AES instructions on the ARMv8 platform do not have an algorithm that is "intrinsically resistant" to side-channel attacks. NOTE: the vendor reportedly offers the position "while power side channel attacks ... are possible, they are not directly caused by or related to the Arm architecture."

Action-Not Available
Vendor-n/aArm Limited
Product-cortex-a76aecortex-a75cortex-a77_firmwarecortex-a78_firmwarecortex-a55_firmwarecortex-a57cortex-a53_firmwarecortex-a53cortex-a76ae_firmwarecortex-a75_firmwarecortex-a76_firmwarecortex-a78cortex-a73_firmwarecortex-a76cortex-a55cortex-a72_firmwarecortex-a72cortex-a73cortex-a77cortex-a57_firmwaren/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2021-38562
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.13% / 33.66%
||
7 Day CHG+0.01%
Published-18 Oct, 2021 | 08:52
Updated-04 Aug, 2024 | 01:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.

Action-Not Available
Vendor-n/aBest Practical Solutions, LLCFedora ProjectDebian GNU/Linux
Product-debian_linuxrequest_trackerfedoran/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-13939
Matching Score-4
Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e
ShareView Details
Matching Score-4
Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e
CVSS Score-7.5||HIGH
EPSS-0.03% / 8.42%
||
7 Day CHG-0.02%
Published-28 Mar, 2025 | 02:05
Updated-11 Apr, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

Action-Not Available
Vendor-fractalFRACTAL
Product-string\String::Compare::ConstantTime
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2024-11297
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 40.03%
||
7 Day CHG+0.01%
Published-20 Dec, 2024 | 06:59
Updated-03 Jul, 2025 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Restriction WordPress (WP) – Protect WP Pages/Post <= 1.3.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

Action-Not Available
Vendor-miniorangecyberlord92
Product-page_restrictionPage Restriction WordPress (WP) – Protect WP Pages/Post
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-203
Observable Discrepancy
CVE-2021-37848
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.08%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 19:46
Updated-04 Aug, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.

Action-Not Available
Vendor-pengutronixn/a
Product-bareboxn/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2024-0553
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.91% / 74.86%
||
7 Day CHG-0.15%
Published-16 Jan, 2024 | 11:40
Updated-17 Jun, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gnutls: incomplete fix for cve-2023-5981

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Action-Not Available
Vendor-Red Hat, Inc.Fedora ProjectGNU
Product-fedoragnutlsenterprise_linuxRHODF-4.15-RHEL-9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9RHOL-5.8-RHEL-9
CWE ID-CWE-203
Observable Discrepancy
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found