Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-200
Total 6955 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-36537 1 Zkoss 1 Zk Framework 2023-03-03 N/A 7.5 HIGH
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
CVE-2023-0994 1 Rosariosis 1 Rosariosis 2023-03-03 N/A 7.5 HIGH
Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.
CVE-2019-13417 1 Search-guard 1 Search Guard 2023-03-02 5.0 MEDIUM 5.3 MEDIUM
Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.
CVE-2022-33181 1 Broadcom 1 Fabric Operating System 2023-03-02 N/A 5.5 MEDIUM
An information disclosure vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a local authenticated attacker to read sensitive files using switch commands “configshow” and “supportlink”.
CVE-2018-2022 1 Ibm 1 Qradar Security Information And Event Manager 2023-03-01 5.0 MEDIUM 5.3 MEDIUM
IBM QRadar SIEM 7.2 and 7.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 155346.
CVE-2019-4193 3 Ibm, Linux, Microsoft 4 Aix, Jazz For Service Management, Linux Kernel and 1 more 2023-03-01 5.0 MEDIUM 7.5 HIGH
IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-force ID: 159032.
CVE-2018-1968 1 Ibm 1 Security Identity Manager Virtual Appliance 2023-03-01 5.0 MEDIUM 5.3 MEDIUM
IBM Security Identity Manager 7.0.1 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 153749.
CVE-2019-13313 3 Fedoraproject, Libosinfo, Redhat 6 Fedora, Libosinfo, Enterprise Linux and 3 more 2023-02-28 2.1 LOW 7.8 HIGH
libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.
CVE-2022-27891 1 Palantir 1 Gotham 2023-02-24 N/A 5.3 MEDIUM
Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.
CVE-2022-43927 5 Hp, Ibm, Linux and 2 more 6 Hp-ux, Aix, Db2 and 3 more 2023-02-24 N/A 7.5 HIGH
IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.
CVE-2023-22580 1 Sequelizejs 1 Sequelize 2023-02-24 N/A 7.5 HIGH
Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.
CVE-2016-3201 1 Microsoft 4 Edge, Windows 10, Windows 8.1 and 1 more 2023-02-23 4.3 MEDIUM 6.5 MEDIUM
Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allow remote attackers to obtain sensitive information from process memory via a crafted PDF document, aka "Windows PDF Information Disclosure Vulnerability," a different vulnerability than CVE-2016-3215.
CVE-2019-5463 1 Gitlab 1 Gitlab 2023-02-22 5.0 MEDIUM 5.3 MEDIUM
An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
CVE-2022-41946 2 Debian, Postgresql 2 Debian Linux, Postgresql Jdbc Driver 2023-02-22 N/A 5.5 MEDIUM
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
CVE-2020-6812 2 Canonical, Mozilla 4 Ubuntu Linux, Firefox, Firefox Esr and 1 more 2023-02-22 5.0 MEDIUM 5.3 MEDIUM
The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a special case that renames devices containing the substring 'AirPods' to simply 'AirPods'. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.
CVE-2019-10407 1 Jenkins 1 Project Inheritance 2023-02-22 4.0 MEDIUM 6.5 MEDIUM
Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.
CVE-2015-2774 3 Erlang, Opensuse, Oracle 3 Erlang\/otp, Opensuse, Solaris 2023-02-21 4.3 MEDIUM 5.9 MEDIUM
Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
CVE-2023-0020 1 Sap 1 Businessobjects Business Intelligence Platform 2023-02-21 N/A 7.1 HIGH
SAP BusinessObjects Business Intelligence platform - versions 420, 430, allows an authenticated attacker to access sensitive information which is otherwise restricted. On successful exploitation, there could be a high impact on confidentiality and limited impact on integrity of the application.
CVE-2021-34749 1 Cisco 3 Firepower Management Center, Firepower Management Center Virtual Appliance Firmware, Ironport Web Security Appliance 2023-02-18 5.0 MEDIUM 8.6 HIGH
A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks.
CVE-2023-25164 1 Tina 1 Tinacms 2023-02-18 N/A 7.5 HIGH
Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli >= 1.0.0 && < 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a version prior to 1.0.0 this vulnerability does not affect you. If you are affected and your Tina-enabled website has sensitive credentials stored as environment variables (eg. Algolia API keys) you should rotate those keys immediately. This issue has been patched in @tinacms/cli@1.0.9. Users are advised to upgrade. There are no known workarounds for this issue.