Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information.
An information leak in Tokudaya.ekimae_mc v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
An information leak in Daiky-value.Fukueten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
An issue in Anglaise Company Anglaise.Company v.13.6.1 allows a remote attacker to obtain sensitive information via crafted GET request.
The HTTP and WebSocket engine components in the server in Kaazing Gateway 4.0.2, 4.0.3, and 4.0.4 and Gateway - JMS Edition 4.0.2, 4.0.3, and 4.0.4 allow remote attackers to obtain sensitive information via vectors related to HTTP request handling.
An issue in CHRISTINA JAPAN Line v.13.6.1 allows a remote attacker to obtain sensitive information via crafted GET request.
An information leak in Tokudaya.honten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
RiskNet Acquirer before hotfix 6.0 b7+ADHOC-443 ApplicationServiceBean contains a service information disclosure.
An information leak in hirochanKAKIwaiting v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
NestJS Proxy is a NestJS module to decorate and proxy calls. Prior to version 0.7.0, the nestjs-proxy library did not have a way to control when Authorization headers should should be forwarded for specific backend services configured by the application developer. This could have resulted in sensitive information such as OAuth bearer access tokens being inadvertently exposed to such services that should not see them. A new feature has been introduced in the patched version of nestjs-proxy that allows application developers to opt out of forwarding the Authorization headers on a per service basis using the `forwardToken` config setting. Developers are advised to review the README for this library on Github or NPM for further details on how this configuration can be applied. This issue has been fixed in version 0.7.0 of `@finastra/nestjs-proxy`. Users of `@ffdc/nestjs-proxy` are advised that this package has been deprecated and is no longer being maintained or receiving updates. Such users should update their package.json file to use `@finastra/nestjs-proxy` instead.
The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information.
The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) IP addresses via a request to get_realip.cgi or (2) firmware versions (ui and system), timestamp, serial number, p2p port number, and wifi status via a request to get_status.cgi.
An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
An issue in tire-sales Line v.13.6.1 allows a remote attacker to obtain sensitive information via crafted GET request.
MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue.
Cryptocat before 2.0.22 Chrome Extension 'img/keygen.gif' has Information Disclosure
The vulnerability exists in CP-Plus NVR due to an improper input handling at the web-based management interface of the affected product. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable device. Successful exploitation of this vulnerability could allow the remote attacker to obtain sensitive information on the targeted device.
Loftware Spectrum through 4.6 exposes Sensitive Information (Logs) to an Unauthorized Actor.
A vulnerability was found in Evolution Events Artaxerxes. It has been declared as problematic. This vulnerability affects unknown code of the file arta/common/middleware.py of the component POST Parameter Handler. The manipulation of the argument password leads to information disclosure. The attack can be initiated remotely. The patch is identified as 022111407d34815c16c6eada2de69ca34084dc0d. It is recommended to apply a patch to fix this issue. VDB-217438 is the identifier assigned to this vulnerability.
Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view sensitive information from referrer logs due to inadequate handling of HTTP referrer headers.
SimpleHRM 2.3 and earlier could allow remote attackers to bypass the authentication process in 'user_manager.php' via spoofing a cookie.
`tktchurch/website` contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized party gains access to this key, they could potentially carry out transactions on behalf of the organization, leading to financial losses. Additionally, they could access sensitive customer information, leading to privacy violations and potential legal implications. The affected component is the codebase of our project, specifically the file(s) where the Stripe API key is embedded. The key should have been stored securely, and not committed to the codebase. The maintainers plan to revoke the leaked Stripe API key immediately, generate a new one, and not commit the key to the codebase.
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
Brother MFC-9970CDW 1.10 firmware L devices contain an information disclosure vulnerability which allows remote attackers to view private IP addresses and other sensitive information.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in MultiVendorX Product Stock Manager & Notifier for WooCommerce.This issue affects Product Stock Manager & Notifier for WooCommerce: from n/a through 2.0.1.
KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user (including admin). A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The HwContacts module has a logic bypass vulnerability. Successful exploitation of this vulnerability may affect confidentiality.
Cryptocat strophe.js before 2.0.22 has information disclosure
An Information Disclosure vulnerability exists in Netgear WNDR4700 running firmware 1.0.0.34 in the management web interface, which discloses the PSK of the wireless LAN.
MiniUPnPd has information disclosure use of snprintf()
The Advanced Woo Search plugin version through 1.99 for Wordpress suffers from a sensitive information disclosure vulnerability in every ajax search request via the sql field to includes/class-aws-search.php.
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
A vulnerability has been found in Exit Strategy Plugin 1.55 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality of the file exitpage.php. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.59 is able to address this issue. The identifier of the patch is d964b8e961b2634158719f3328f16eda16ce93ac. It is recommended to upgrade the affected component. The identifier VDB-225265 was assigned to this vulnerability.
A vulnerability classified as problematic has been found in ethitter WP-Print-Friendly up to 0.5.2. This affects an unknown part of the file wp-print-friendly.php. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. Upgrading to version 0.5.3 is able to address this issue. The identifier of the patch is 437787292670c20b4abe20160ebbe8428187f2b4. It is recommended to upgrade the affected component. The identifier VDB-217269 was assigned to this vulnerability.
An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text.
Unauthorized access vulnerability in the SystemUI module. Successful exploitation of this vulnerability may affect confidentiality.
Allowing RTT frames to be linked with non randomized MAC address by comparing the sequence numbers can lead to information disclosure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
Unauthorized access vulnerability in the SystemUI module. Successful exploitation of this vulnerability may affect confidentiality.
An Information Disclosure vulnerability exists due to insufficient validation of authentication cookies for the RTSP session in D-Link DCS-5635 1.01, DCS-1100L 1.04, DCS-1130L 1.04, DCS-1100 1.03/1.04_US, DCS-1130 1.03/1.04_US , DCS-2102 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-2121 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.0, DCS-7410 1.0, DCS-7510 1.0, and WCS-1100 1.02, which could let a malicious user obtain unauthorized access to video streams.
Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
GitLab EE/CE 8.17 to 12.9 is vulnerable to information leakage when querying a merge request widget.
Microsoft Outlook Information Disclosure Vulnerability
NextGEN Gallery Plugin for WordPress 1.9.10 and 1.9.11 has a Path Disclosure Vulnerability
The Sepolicy module has inappropriate permission control on the use of Netlink.Successful exploitation of this vulnerability may affect confidentiality.
gnome-system-log polkit policy allows arbitrary files on the system to be read