A vulnerability, which was classified as critical, was found in Multilaser RE057 and RE170 2.1/2.2. This affects an unknown part of the file /param.file.tgz of the component Backup File Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The identifier VDB-220053 was assigned to this vulnerability.
An AEM java servlet in AEM versions 6.5.5.0 (and below) and 6.4.8.1 (and below) executes with the permissions of a high privileged service user. If exploited, this could lead to read-only access to sensitive data in an AEM repository.
A vulnerability was detected in Das Parking Management System 停车场管理系统 6.2.0. This impacts an unknown function of the file /Operator/Search. The manipulation results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used.
The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system.
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
A vulnerability was found in BDCOM 1704-WGL 2.0.6314. It has been classified as critical. This affects an unknown part of the file /param.file.tgz of the component Backup File Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The identifier VDB-220101 was assigned to this vulnerability.
Insufficient protection of secrets in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 discloses credentials of a service account.
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
An issue was discovered on Samsung mobile devices with M(6.x) and N(7.x) software. There is information disclosure of the kbase_context address of a GPU memory node. The Samsung ID is SVE-2017-8907 (December 2017).
The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.1 does not have proper authorization or nonce values for some POST requests, leading to unauthenticated data disclosure.
For native-to-JS bridging, the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token was being used for JS-to-native also, but it isn't needed in this case, and its usage was also leaking this token. This vulnerability affects Firefox for iOS < 25.
A CWE-200: Information Exposure vulnerability exists in Easergy T300, Firmware V1.5.2 and prior, which could allow an attacker to pack or unpack the archive with the firmware for the controller and modules using the usual tar archiver resulting in an information exposure.
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, an attacker can gain access to sensitive information from the web service without authorization.
A SQL-Injection vulnerability in the nTracker USB Enterprise(secure USB management solution) allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0.
A CWE-200: Information Exposure vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow attacker to obtain private keys.
An issue in Zertificon Z1 SecureMail Z1 SecureMail Gateway 4.44.2-7240-debian12 allows a remote attacker to obtain sensitive information via the /compose-pdf.xhtml?convid=[id] component.
HPE OneView Global Dashboard (OVGD) 1.9 has a remote information disclosure vulnerability. HPE OneView Global Dashboard - After Upgrade or Install of OVGD Version 1.9, Appliance Firewall May Leave Ports Open. This is resolved in OVGD 1.91 or later.
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain an SNMPv2 vulnerability. The SNMPv2 services is enabled, by default, with a pre-configured community string. This community string allows read-only access to many aspects of the Isilon cluster, some of which are considered sensitive and can foster additional access.
GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vectors.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 07012026.
Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell EMC Networking PC5500 firmware versions 4.1.0.22 and older and Dell EMC PowerEdge VRTX Switch Modules firmware versions 2.0.0.77 and older contain an information disclosure vulnerability. A remote unauthenticated attacker could exploit this vulnerability to retrieve sensitive data by sending a specially crafted request to the affected endpoints.
An access control issue in Tmall_demo v2024.07.03 allows attackers to obtain sensitive information.
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is due to insufficient condition checks in the part of the code that handles CAPWAP keepalive requests. An attacker could exploit this vulnerability by sending a crafted CAPWAP keepalive packet to a vulnerable Cisco WLC device. A successful exploit could allow the attacker to retrieve the contents of device memory, which could lead to the disclosure of confidential information.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module that can result in Possible to read files on the server. This attack appear to be exploitable via GET parameter. This vulnerability appears to have been fixed in after commit 254765e.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Codection Import and export users and customers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Import and export users and customers: from n/a through 1.26.8.
An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command (ISP6-1779).
A vulnerability was found in Netis Netcore Router up to 2.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file param.file.tgz of the component Backup Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-217591.
NVIDIA GeForce NOW, versions prior to 2.0.23 on Windows and macOS, contains a vulnerability in the desktop application software that includes sensitive information as part of a URL, which may lead to information disclosure.
Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8.
An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP AI Core 3.4.1 and later
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.
Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application.
SSB-DB version 20.0.0 has an information disclosure vulnerability. The get() method is supposed to only decrypt messages when you explicitly ask it to, but there is a bug where it's decrypting any message that it can. This means that it is returning the decrypted content of private messages, which a malicious peer could use to get access to private data. This only affects peers running SSB-DB@20.0.0 who also have private messages, and is only known to be exploitable if you're also running SSB-OOO (default in SSB-Server), which exposes a thin wrapper around get() to anonymous peers. This is fixed in version 20.0.1. Note that users of SSB-Server verion 16.0.0 should upgrade to 16.0.1 to get the fixed version of SSB-DB.
IBM QRadar Network Security 5.4.0 and 5.5.0 discloses sensitive information to unauthorized users which could be used to mount further attacks against the system. IBM X-Force ID: 174339.
IBM MobileFirst Platform Foundation 8.0.0.0 stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
The ThemeMakers GamesTheme Premium theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.
The ThemeMakers Car Dealer / Auto Dealer Responsive theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.
Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API keys.
In JetBrains TeamCity before 2019.2.2, password values were shown in an unmasked format on several pages.
In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods.
Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information.
Adobe Acrobat and Reader versions 2020.006.20034 and earlier, 2017.011.30158 and earlier, 2017.011.30158 and earlier, 2015.006.30510 and earlier, and 2015.006.30510 and earlier have a memory address leak vulnerability. Successful exploitation could lead to information disclosure .
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.14.9 via the env-info.php and restore-info.json files. This makes it possible for unauthenticated attackers to find the location of back-up files and subsequently download them.
A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in ThemeSphere SmartMag allows Excavation, Accessing Functionality Not Properly Constrained by ACLs.This issue affects SmartMag: from n/a through 9.3.0.
An issue was discovered in Joomla! 2.5.0 through 3.9.22. The globlal configuration page does not remove secrets from the HTML output, disclosing the current values.
The ThemeMakers Diplomat | Political theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.