Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-39822

Summary
Assigner-Zoom
Assigner Org ID-99b9af0d-a833-4a5d-9e2f-8b1324f35351
Published At-14 Aug, 2024 | 16:38
Updated At-16 Aug, 2024 | 19:18
Rejected At-
Credits

Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers - Sensitive Information Exposure

Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Zoom
Assigner Org ID:99b9af0d-a833-4a5d-9e2f-8b1324f35351
Published At:14 Aug, 2024 | 16:38
Updated At:16 Aug, 2024 | 19:18
Rejected At:
▼CVE Numbering Authority (CNA)
Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers - Sensitive Information Exposure

Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access.

Affected Products
Vendor
Zoom Communications, Inc.Zoom Communications Inc.
Product
Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers
Platforms
  • Windows
  • MacOS
  • Linux
  • iOS
  • Android
Default Status
unaffected
Versions
Affected
  • see references
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.zoom.com/en/trust/security-bulletin/zsb-24029
N/A
Hyperlink: https://www.zoom.com/en/trust/security-bulletin/zsb-24029
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@zoom.us
Published At:14 Aug, 2024 | 17:15
Updated At:04 Sep, 2024 | 21:28

Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches

Zoom Communications, Inc.
zoom
>>meeting_software_development_kit>>Versions before 6.0.12(exclusive)
cpe:2.3:a:zoom:meeting_software_development_kit:*:*:*:*:*:android:*:*
Zoom Communications, Inc.
zoom
>>meeting_software_development_kit>>Versions before 6.0.12(exclusive)
cpe:2.3:a:zoom:meeting_software_development_kit:*:*:*:*:*:iphone_os:*:*
Zoom Communications, Inc.
zoom
>>rooms>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms:*:*:*:*:*:ipados:*:*
Zoom Communications, Inc.
zoom
>>rooms>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms:*:*:*:*:*:macos:*:*
Zoom Communications, Inc.
zoom
>>rooms>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms:*:*:*:*:*:windows:*:*
Zoom Communications, Inc.
zoom
>>rooms_controller>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms_controller:*:*:*:*:*:android:*:*
Zoom Communications, Inc.
zoom
>>rooms_controller>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms_controller:*:*:*:*:*:linux:*:*
Zoom Communications, Inc.
zoom
>>rooms_controller>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms_controller:*:*:*:*:*:macos:*:*
Zoom Communications, Inc.
zoom
>>rooms_controller>>Versions before 6.1.0(exclusive)
cpe:2.3:a:zoom:rooms_controller:*:*:*:*:*:windows:*:*
Zoom Communications, Inc.
zoom
>>workplace>>Versions before 6.0.12(exclusive)
cpe:2.3:a:zoom:workplace:*:*:*:*:*:android:*:*
Zoom Communications, Inc.
zoom
>>workplace>>Versions before 6.0.12(exclusive)
cpe:2.3:a:zoom:workplace:*:*:*:*:*:iphone_os:*:*
Zoom Communications, Inc.
zoom
>>workplace_desktop>>Versions before 6.0.12(exclusive)
cpe:2.3:a:zoom:workplace_desktop:*:*:*:*:*:linux:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-200Secondarysecurity@zoom.us
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-200
Type: Secondary
Source: security@zoom.us
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.zoom.com/en/trust/security-bulletin/zsb-24029security@zoom.us
Vendor Advisory
Hyperlink: https://www.zoom.com/en/trust/security-bulletin/zsb-24029
Source: security@zoom.us
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

300Records found

CVE-2023-52234
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 67.82%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:34
Updated-10 Mar, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booster Elite for WooCommerce plugin < 7.1.2 - Auth. Sensitive Data Exposure vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Booster Booster Elite for WooCommerce.This issue affects Booster Elite for WooCommerce: from n/a before 7.1.2.

Action-Not Available
Vendor-boosterBooster
Product-booster_for_woocommerceBooster Elite for WooCommerce
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-30607
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-2.7||LOW
EPSS-0.24% / 47.67%
||
7 Day CHG~0.00%
Published-17 Jun, 2022 | 15:20
Updated-16 Sep, 2024 | 21:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 227294.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-windowsrobotic_process_automationRobotic Process Automation
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-10913
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-1.01% / 76.15%
||
7 Day CHG~0.00%
Published-04 Sep, 2018 | 14:00
Updated-05 Aug, 2024 | 07:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file.

Action-Not Available
Vendor-glusterDebian GNU/LinuxRed Hat, Inc.openSUSE
Product-enterprise_linux_serverdebian_linuxvirtualization_hostglusterfsleapglusterfs
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-29232
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.27%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 22:25
Updated-23 Apr, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of messages in BigBlueButton public chats

BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds.

Action-Not Available
Vendor-bigbluebuttonbigbluebutton
Product-bigbluebuttonbigbluebutton
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-31095
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 41.83%
||
7 Day CHG~0.00%
Published-21 Jun, 2022 | 19:00
Updated-23 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in discourse-chat

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse-chatdiscourse-chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2023-52231
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 67.82%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 06:36
Updated-10 Mar, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booster Plus for WooCommerce plugin < 7.1.2 - Auth. Sensitive Data Exposure vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Booster Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.

Action-Not Available
Vendor-boosterBooster
Product-booster_for_woocommerceBooster Plus for WooCommerce
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-5105
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.72% / 71.62%
||
7 Day CHG~0.00%
Published-04 Dec, 2023 | 21:27
Updated-02 Aug, 2024 | 07:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager < 22.6 - Editor+ Arbitrary File Download

The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`

Action-Not Available
Vendor-najeebmediaUnknown
Product-frontend_file_manager_pluginFrontend File Manager Plugin
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-9337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.98%
||
7 Day CHG~0.00%
Published-26 Feb, 2020 | 13:20
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.

Action-Not Available
Vendor-golfbuddyglobaln/a
Product-course_managern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2023-50253
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.7||CRITICAL
EPSS-0.06% / 19.82%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 16:45
Updated-09 Jun, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
laf logs leak

Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which allows authenticated users to obtain any pod logs under the same namespace through this method, thereby obtaining sensitive information printed in the logs. As of time of publication, no known patched versions exist.

Action-Not Available
Vendor-Labring Computing Co., LTD.
Product-laflaf
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-23649
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.28% / 51.25%
||
7 Day CHG~0.00%
Published-24 Jan, 2024 | 18:09
Updated-30 May, 2025 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Any authenticated user may obtain private message details from other users on the same instance

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports. Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported: Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance. Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied.

Action-Not Available
Vendor-join-lemmyLemmyNet
Product-lemmylemmy
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-285
Improper Authorization
CVE-2018-0140
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.46% / 63.32%
||
7 Day CHG-0.03%
Published-08 Feb, 2018 | 07:00
Updated-02 Dec, 2024 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. The vulnerability is due to a lack of verification of authenticated user accounts. An attacker could exploit this vulnerability by modifying browser strings to see messages submitted by other users to the spam quarantine within their company. Cisco Bug IDs: CSCvg39759, CSCvg42295.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-email_security_appliance_c190email_security_appliance_c670content_security_management_appliance_sma_m390xemail_security_appliance_c370demail_security_appliance_c170email_security_appliance_c160content_security_management_appliance_sma_m690email_security_appliance_c680email_security_appliance_c690xcontent_security_management_appliance_sma_m690xcontent_security_management_applianceemail_security_appliance_firmwareemail_security_appliance_c690email_security_appliance_c370content_security_management_appliance_sma_m190email_security_appliance_c380email_security_appliance_c390email_security_appliance_x1070content_security_management_appliance_sma_m390Cisco Email Security Appliance and Cisco Content Security Management Appliance
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2020-6954
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 57.16%
||
7 Day CHG~0.00%
Published-13 Jan, 2020 | 22:17
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Cayin SMP-PRO4 devices. A user can discover a saved password by viewing the URL after a Connection String Test. This password is shown in the webpass parameter of a media_folder.cgi?apply_mode=ping_server URI.

Action-Not Available
Vendor-n/aCAYIN Technology Co.
Product-smp-pro4_firmwaresmp-pro4n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-29512
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 48.78%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 00:40
Updated-03 Aug, 2024 | 06:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of sensitive information to an unauthorized actor issue in multiple applications of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data without the viewing privilege.

Action-Not Available
Vendor-Cybozu, Inc.
Product-garoonCybozu Garoon
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-50290
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-92.90% / 99.76%
||
7 Day CHG~0.00%
Published-15 Jan, 2024 | 09:32
Updated-09 May, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Solr: Host environment variables are published via the Metrics API

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system properties which are set per-Java-proccess. The Solr Metrics API is protected by the "metrics-read" permission. Therefore, Solr Clouds with Authorization setup will only be vulnerable via users with the "metrics-read" permission. This issue affects Apache Solr: from 9.0.0 before 9.3.0. Users are recommended to upgrade to version 9.3.0 or later, in which environment variables are not published via the Metrics API.

Action-Not Available
Vendor-The Apache Software Foundation
Product-solrApache Solr
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-24865
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.81%
||
7 Day CHG~0.00%
Published-20 Apr, 2022 | 20:05
Updated-22 Apr, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control in humhub

HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.

Action-Not Available
Vendor-humhubhumhub
Product-humhubhumhub
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-7780
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 11.36%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 09:22
Updated-25 Jul, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ai Engine <= 2.9.4 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin’s OpenAI API integration.

Action-Not Available
Vendor-tigroumeow
Product-AI Engine
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-7919
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.03% / 7.77%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 06:16
Updated-22 Jul, 2025 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simopro Technology|WinMatrix3 Web package - SQL Injection

WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Action-Not Available
Vendor-Simopro Technology
Product-WinMatrix3 Web package
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-7196
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.18%
||
7 Day CHG~0.00%
Published-26 Oct, 2020 | 15:05
Updated-04 Aug, 2024 | 09:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the url "/bdswebui/assignusers/".

Action-Not Available
Vendor-n/aHP Inc.
Product-ezmeral_container_platformbluedata_epicBlueData EPIC Software; HPE Ezmeral Container Platform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-23643
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.75%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 21:25
Updated-23 Apr, 2025 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Side-channel attack in Sourcegraph Code Monitors

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation.

Action-Not Available
Vendor-sourcegraphsourcegraph
Product-sourcegraphsourcegraph
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-24414
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.6||HIGH
EPSS-0.33% / 54.98%
||
7 Day CHG~0.00%
Published-26 May, 2022 | 15:20
Updated-17 Sep, 2024 | 00:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks.

Action-Not Available
Vendor-Dell Inc.
Product-cloudlinkCloudLink
CWE ID-CWE-598
Use of GET Request Method With Sensitive Query Strings
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-24670
Matching Score-4
Assigner-ForgeRock, Inc.
ShareView Details
Matching Score-4
Assigner-ForgeRock, Inc.
CVSS Score-7.1||HIGH
EPSS-0.15% / 36.14%
||
7 Day CHG+0.01%
Published-27 Oct, 2022 | 16:53
Updated-09 May, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Any user can run unrestricted LDAP queries against a configuration endpoint

An attacker can use the unrestricted LDAP queries to determine configuration entries

Action-Not Available
Vendor-ForgeRock, Inc.
Product-access_managementAccess Management
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-48333
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.5||MEDIUM
EPSS-0.68% / 70.62%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 14:17
Updated-02 Aug, 2024 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Booster for WooCommerce Plugin <= 7.1.1 is vulnerable to Sensitive Data Exposure

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pluggabl LLC Booster for WooCommerce.This issue affects Booster for WooCommerce: from n/a through 7.1.1.

Action-Not Available
Vendor-boosterPluggabl LLC
Product-booster_for_woocommerceBooster for WooCommerce
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-24398
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 56.97%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 13:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted.

Action-Not Available
Vendor-SAP SE
Product-business_objects_business_intelligence_platformSAP Business Objects Business Intelligence Platform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-6865
Matching Score-4
Assigner-ZTE Corporation
ShareView Details
Matching Score-4
Assigner-ZTE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 54.98%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 21:16
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view the internal error code location of the component. Attackers could exploit this vulnerability to obtain sensitive information. This affects: OSCP versions V16.19.10 and V16.19.20.

Action-Not Available
Vendor-n/aZTE Corporation
Product-oscpOSCP
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-22733
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-84.35% / 99.27%
||
7 Day CHG~0.00%
Published-20 Jan, 2022 | 10:25
Updated-03 Aug, 2024 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Access-Token in ElasticJob UI causes password disclosure

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.

Action-Not Available
Vendor-The Apache Software Foundation
Product-shardingsphere_elasticjob-uiApache ShardingSphere ElasticJob-UI
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-27490
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.20% / 42.61%
||
7 Day CHG~0.00%
Published-07 Mar, 2023 | 16:04
Updated-22 Oct, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.x, 6.0.x allows an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortiswitchfortimanagerfortiportalFortiPortalFortiManagerFortiAnalyzerFortiSwitch
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-23469
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.29% / 51.97%
||
7 Day CHG~0.00%
Published-08 Dec, 2022 | 21:33
Updated-22 Apr, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization header displayed in the debug logs

Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header are displayed in the debug logs. Attackers must have access to a users logging system in order for credentials to be stolen. This issue has been addressed in version 2.9.6. Users are advised to upgrade. Users unable to upgrade may set the log level to `INFO`, `WARN`, or `ERROR`.

Action-Not Available
Vendor-traefiktraefik
Product-traefiktraefik
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-23613
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.16% / 37.06%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 20:33
Updated-10 Mar, 2025 | 21:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Field-level security issue with .keyword fields in OpenSearch

OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.

Action-Not Available
Vendor-amazonopensearch-project
Product-opensearchsecurity
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-5070
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-10.44% / 92.94%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-05 Feb, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens and secrets as well as app passwords.

Action-Not Available
Vendor-ultimatelysocialsocialdude
Product-social_media_share_buttons_\&_social_sharing_iconsSocial Media Share Buttons & Social Sharing Icons
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-22337
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.41%
||
7 Day CHG~0.00%
Published-04 Jan, 2023 | 17:50
Updated-10 Apr, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator Standard Edition information disclosure

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could disclose sensitive information to an authenticated user. IBM X-Force ID: 219507.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator Standard Edition
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2008-5083
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 55.11%
||
7 Day CHG~0.00%
Published-07 Nov, 2019 | 23:18
Updated-07 Aug, 2024 | 10:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON.

Action-Not Available
Vendor-JONRed Hat, Inc.
Product-jboss_operations_networkJON
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-36319
Matching Score-4
Assigner-Vaadin Ltd.
ShareView Details
Matching Score-4
Assigner-Vaadin Ltd.
CVSS Score-3.1||LOW
EPSS-0.50% / 64.91%
||
7 Day CHG~0.00%
Published-23 Apr, 2021 | 16:05
Updated-16 Sep, 2024 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential sensitive data exposure in applications using Vaadin 15

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

Action-Not Available
Vendor-vaadinVaadin
Product-flowvaadinflow-serverVaadin
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-47619
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.12% / 32.16%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 21:02
Updated-22 May, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Audiobookshelf Server-Side Request Forgery and Arbitrary File Read Vulnerability

Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available.

Action-Not Available
Vendor-audiobookshelfadvplyr
Product-audiobookshelfaudiobookshelf
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-20680
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.52%
||
7 Day CHG~0.00%
Published-10 Feb, 2022 | 17:06
Updated-06 Nov, 2024 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Prime Service Catalog Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper enforcement of Administrator privilege levels for low-value sensitive data. An attacker with read-only Administrator access to the web-based management interface could exploit this vulnerability by sending a malicious HTTP request to the page that contains the sensitive data. A successful exploit could allow the attacker to collect sensitive information about users of the system and orders that have been placed using the application.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_service_catalogCisco Prime Service Catalog
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-36532
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.38%
||
7 Day CHG~0.00%
Published-03 Jun, 2022 | 19:10
Updated-15 Apr, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Klapp App Authorization Credentials information disclosure

A vulnerability has been found in Klapp App and classified as problematic. This vulnerability affects unknown code of the component Authorization. The manipulation leads to information disclosure (Credentials). The attack can be initiated remotely. It is recommended to upgrade the affected app.

Action-Not Available
Vendor-klappKlapp
Product-appApp
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2020-36835
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 50.03%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-27 Feb, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Migration, Backup, Staging – WPvivid <= 0.9.35 - Sensitive Information Disclosure

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wp_ajax_wpvivid_add_remote AJAX action that allows low-level authenticated attackers to send back-ups to a remote location of their choice for review. This affects versions up to, and including 0.9.35.

Action-Not Available
Vendor-wpvividwpvividplugins
Product-migration\,_backup\,_stagingMigration, Backup, Staging – WPvivid
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2023-46128
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.34%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 14:17
Updated-11 Sep, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of hashed user passwords via REST API in Nautobot

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.

Action-Not Available
Vendor-networktocodenautobot
Product-nautobotnautobot
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2022-0708
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.25%
||
7 Day CHG~0.00%
Published-21 Feb, 2022 | 17:49
Updated-06 Dec, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team Creator's Email Address is disclosed to Team Members via one of the APIs

Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-47146
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.9||MEDIUM
EPSS-0.05% / 13.41%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 22:04
Updated-02 Aug, 2024 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM QRadar SIEM information disclosure

IBM Qradar SIEM 7.5 could allow a privileged user to obtain sensitive domain information due to data being misidentified. IBM X-Force ID: 270372.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar SIEM
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2020-3498
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.01%
||
7 Day CHG~0.00%
Published-04 Sep, 2020 | 02:25
Updated-13 Nov, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Jabber for Windows Information Disclosure Vulnerability

A vulnerability in Cisco Jabber software could allow an authenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted messages to a targeted system. A successful exploit could allow the attacker to cause the application to return sensitive authentication information to another system, possibly for use in further attacks.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-jabberCisco Jabber
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-20
Improper Input Validation
CVE-2020-3391
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 41.82%
||
7 Day CHG~0.00%
Published-02 Jul, 2020 | 04:20
Updated-15 Nov, 2024 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Digital Network Architecture Center Information Disclosure Vulnerability

A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to view sensitive information in clear text. The vulnerability is due to insecure storage of certain unencrypted credentials on an affected device. An attacker could exploit this vulnerability by viewing the network device configuration and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to use those credentials to discover and manage network devices.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-digital_network_architecture_centerCisco Digital Network Architecture Center (DNA Center)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-3547
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.44%
||
7 Day CHG~0.00%
Published-04 Sep, 2020 | 02:26
Updated-13 Nov, 2024 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Email Security Appliance, Cisco Content Security Management Appliance, and Cisco Web Security Appliance Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because an insecure method is used to mask certain passwords on the web-based management interface. An attacker could exploit this vulnerability by looking at the raw HTML code that is received from the interface. A successful exploit could allow the attacker to obtain some of the passwords configured throughout the interface.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-content_security_management_applianceasyncosemail_security_applianceweb_security_applianceCisco Web Security Appliance (WSA)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-46701
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 41.35%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:19
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Inaccessible Post Information Leak via Run Timeline IDOR

Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks plugin allowing an attacker to get limited information about a post if they know the post ID

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2021-46166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 53.44%
||
7 Day CHG~0.00%
Published-09 Jan, 2022 | 00:25
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_desktop_centraln/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-46148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 56.82%
||
7 Day CHG~0.00%
Published-07 Jan, 2022 | 05:54
Updated-04 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki SecurePoll instance.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-5690
Matching Score-4
Assigner-PostgreSQL
ShareView Details
Matching Score-4
Assigner-PostgreSQL
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 13.37%
||
7 Day CHG~0.00%
Published-04 Jun, 2025 | 21:34
Updated-05 Jun, 2025 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cursor allows PostgreSQL Anonymizer masked user to gain unauthorized access to authentic data

PostgreSQL Anonymizer v2.0 and v2.1 contain a vulnerability that allows a masked user to bypass the masking rules defined on a table and read the original data using a database cursor or the --insert option of pg_dump. This problem occurs only when dynamic masking is enabled, which is not the default setting. The problem is resolved in version 2.2.1

Action-Not Available
Vendor-DALIBO
Product-PostgreSQL Anonymizer
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-2401
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 54.91%
||
7 Day CHG~0.00%
Published-14 Jul, 2022 | 17:20
Updated-06 Dec, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Team members could access sensitive information of other users via an API call

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2025-54380
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 6.68%
||
7 Day CHG+0.01%
Published-26 Jul, 2025 | 03:28
Updated-26 Aug, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Opencast still publishes global system account credentials

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.

Action-Not Available
Vendor-apereoopencast
Product-opencastopencast
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-44145
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.20%
||
7 Day CHG~0.00%
Published-17 Dec, 2021 | 08:50
Updated-04 Aug, 2024 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache NiFi information disclosure by XXE

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

Action-Not Available
Vendor-The Apache Software Foundation
Product-nifiApache NiFi
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-22542
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.46% / 63.19%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality.

Action-Not Available
Vendor-SAP SE
Product-s\/4hanaSAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found