Total
6955 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16541 | 5 Apple, Debian, Linux and 2 more | 10 Macos, Debian Linux, Linux Kernel and 7 more | 2022-04-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected. | |||||
| CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2022-04-15 | 5.0 MEDIUM | 7.5 HIGH |
| FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | |||||
| CVE-2021-43205 | 1 Fortinet | 1 Forticlient | 2022-04-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClient for Linux version 7.0.2 and below, 6.4.7 and below and 6.2.9 and below may allow an unauthenticated attacker to access the confighandler webserver via external binaries. | |||||
| CVE-2021-40375 | 1 Apperta | 1 Openeyes | 2022-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history. | |||||
| CVE-2019-14839 | 1 Redhat | 3 Business-central, Descision Manager, Process Automation | 2022-04-08 | 5.0 MEDIUM | 7.5 HIGH |
| It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc. | |||||
| CVE-2022-24797 | 1 Pomerium | 1 Pomerium | 2022-04-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. This issue is patched in version v0.17.1 Workarounds: Block access to `/debug` and `/metrics` paths on the authenticate service. This can be done with any L7 proxy, including Pomerium's own proxy service. | |||||
| CVE-2022-23158 | 1 Dell | 1 Wyse Device Agent | 2022-04-08 | 2.1 LOW | 4.4 MEDIUM |
| Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS server | |||||
| CVE-2022-23157 | 1 Dell | 1 Wyse Device Agent | 2022-04-08 | 2.1 LOW | 4.4 MEDIUM |
| Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server. | |||||
| CVE-2022-24782 | 1 Discourse | 1 Discourse | 2022-04-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category. The name of this secure category is shown to the user in the export. The same thing occurs when the user's post has been moved to a secure category. A patch for this issue is available in the `main` branch of Discourse's GitHub repository and is anticipated to be part of future releases. | |||||
| CVE-2017-5075 | 5 Apple, Google, Linux and 2 more | 8 Macos, Android, Chrome and 5 more | 2022-04-06 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in CSP reporting in Blink in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to obtain the value of url fragments via a crafted HTML page. | |||||
| CVE-2021-22876 | 7 Broadcom, Debian, Fedoraproject and 4 more | 11 Fabric Operating System, Debian Linux, Fedora and 8 more | 2022-04-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. | |||||
| CVE-2021-45095 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2022-04-06 | 2.1 LOW | 5.5 MEDIUM |
| pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak. | |||||
| CVE-2016-1455 | 1 Cisco | 8 Nexus 93128, Nexus 9396px, Nexus 9396tx and 5 more | 2022-04-05 | 5.0 MEDIUM | 7.5 HIGH |
| Cisco NX-OS before 7.0(3)I2(2e) and 7.0(3)I4 before 7.0(3)I4(1) has an incorrect iptables local-interface configuration, which allows remote attackers to obtain sensitive information via TCP or UDP traffic, aka Bug ID CSCuz05365. | |||||
| CVE-2020-1753 | 3 Debian, Fedoraproject, Redhat | 4 Debian Linux, Fedora, Ansible Engine and 1 more | 2022-04-05 | 2.1 LOW | 5.5 MEDIUM |
| A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files. | |||||
| CVE-2022-0331 | 1 Sophos | 1 Sfos | 2022-04-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older. | |||||
| CVE-2022-1077 | 1 Tem | 4 Flex-1080, Flex-1080 Firmware, Flex-1085 and 1 more | 2022-04-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0. It has been declared as problematic. This vulnerability log.cgi of the component Log Handler. A direct request leads to information disclosure of hardware information. The attack can be initiated remotely and does not require any form of authentication. | |||||
| CVE-2020-1739 | 3 Debian, Fedoraproject, Redhat | 6 Debian Linux, Fedora, Ansible and 3 more | 2022-04-01 | 3.3 LOW | 3.9 LOW |
| A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. | |||||
| CVE-2022-25568 | 1 Motioneye Project | 1 Motioneye | 2022-03-31 | 4.3 MEDIUM | 7.5 HIGH |
| MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured. | |||||
| CVE-2022-25571 | 1 Bluedon | 1 Internet Access Detector | 2022-03-30 | 5.0 MEDIUM | 7.5 HIGH |
| Bluedon Information Security Technologies Co.,Ltd Internet Access Detector v1.0 was discovered to contain an information leak which allows attackers to access the contents of the password file via unspecified vectors. | |||||
| CVE-2020-36289 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2022-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1. | |||||