Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-532
Total 493 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-11336 1 Sony 89 Kdl-50w800c, Kdl-50w805c, Kdl-50w807c and 86 more 2019-05-21 4.3 MEDIUM 8.1 HIGH
Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886.
CVE-2018-19865 2 Opensuse, Qt 2 Leap, Qt 2019-05-10 5.0 MEDIUM 7.5 HIGH
A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3.
CVE-2019-11492 1 Projectsend 1 Projectsend 2019-04-30 5.0 MEDIUM 7.5 HIGH
ProjectSend before r1070 writes user passwords to the server logs.
CVE-2019-9724 1 Aquaverde 1 Aquarius Cms 2019-04-29 5.0 MEDIUM 7.5 HIGH
aquaverde Aquarius CMS through 4.3.5 allows Information Exposure through Log Files because of an error in the Log-File writer component.
CVE-2017-6139 1 F5 1 Big-ip Access Policy Manager 2019-04-12 4.3 MEDIUM 5.9 MEDIUM
In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare conditions, the BIG-IP APM system appends log details when responding to client requests. Details in the log file can vary; customers running debug mode logging with BIG-IP APM are at highest risk.
CVE-2019-4143 1 Ibm 1 Cloud Private 2019-04-10 2.1 LOW 5.5 MEDIUM
The IBM Cloud Private Key Management Service (IBM Cloud Private 3.1.1 and 3.1.2) could allow a local user to obtain sensitive from the KMS plugin container log. IBM X-Force ID: 158348.
CVE-2018-16859 1 Redhat 1 Ansible Engine 2019-04-03 2.1 LOW 4.4 MEDIUM
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
CVE-2018-19513 1 Ens 1 Webgalamb 2019-03-22 5.0 MEDIUM 7.5 HIGH
In Webgalamb through 7.0, log files are exposed to the internet with predictable files/logs/sql_error_log/YYYY-MM-DD-sql_error_log.log filenames. The log file could contain sensitive client data (email addresses) and also facilitates exploitation of SQL injection errors.
CVE-2017-15572 2 Debian, Redmine 2 Debian Linux, Redmine 2019-03-14 5.0 MEDIUM 7.5 HIGH
In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect.
CVE-2019-0741 1 Microsoft 1 Java Software Development Kit 2019-03-08 5.0 MEDIUM 7.5 HIGH
An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka 'Azure IoT Java SDK Information Disclosure Vulnerability'.
CVE-2018-5693 1 Linuxmagic 1 Magicspam 2019-03-06 2.1 LOW 3.3 LOW
The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog.
CVE-2018-14995 1 Zteusa 8 Zte Blade Spark, Zte Blade Spark Firmware, Zte Blade Vantage and 5 more 2019-02-07 1.9 LOW 4.7 MEDIUM
The ZTE Blade Vantage Android device with a build fingerprint of ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys, the ZTE Blade Spark Android device with a build fingerprint of ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys, the ZTE ZMAX Pro Android device with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contain a pre-installed platform app with a package name of com.android.modem.service (versionCode=25, versionName=7.1.1; versionCode=23, versionName=6.0.1) that exports an interface to any app on co-located on the device. Using the exported interface of the com.android.modem.service app, any app can enable and obtain certain log files (modem and logcat) without the appropriate corresponding access permissions. The modem logs contain the phone number and full text body of incoming and outgoing text messages in binary format. In addition, the modem log contains the phone numbers for both incoming and outgoing phone calls. The system-wide logcat logs (those obtained via the logcat binary) tend to contain sensitive user data. Third-party apps are prevented from directly reading the system-wide logcat logs. The capability to read from the system-wide logcat logs is only available to pre-installed system apps and platform apps. The modem log and/or logcat log, once activated, get written to external storage (SD card). An app aware of this vulnerability can enable the logs, parse them for relevant data, and exfiltrate them from the device. The modem log and logcat log are inactive by default, but a third-party app with no permissions can activate them, although the app will need to be granted the READ_EXTERNAL_STORAGE permission to access them.
CVE-2018-15004 1 Coolpad 2 Canvas, Canvas Firmware 2019-02-07 4.3 MEDIUM 5.9 MEDIUM
The Coolpad Canvas device with a build fingerprint of Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys contains a platform app with a package name of com.qualcomm.qti.modemtestmode (versionCode=24, versionName=7.0) that contains an exported service app component named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app on the device to set certain system properties as the com.android.phone user. When an app sets the persist.service.logr.enable system property to a value of 1, an app with a package name of com.yulong.logredirect (versionCode=20160622, versionName=5.25_20160622_01) will start writing the system-wide logcat log, kernel log, and a tcpdump network traffic capture to external storage. Furthermore, on the Coolpad Canvas device, the com.android.phone app writes the destination phone number and body of the text message for outgoing text messages. A notification when logging can be avoided if the log is enabled after device startup and disabled prior to device shutdown by setting the system properties using the exported interface of the com.qualcomm.qti.modemtestmode app. Any app with the READ_EXTERNAL_STORAGE permission can access the log files.
CVE-2018-15002 1 Vivo 2 V7, V7 Firmware 2019-02-07 1.9 LOW 4.7 MEDIUM
The Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys allows any app co-located on the device to set system properties as the com.android.phone user. The com.qualcomm.qti.modemtestmode app (versionCode=25, versionName=7.1.2) that contains an exported service named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app co-located on the device to provide key-value pairs to set certain system properties. Notably, system properties with the persist.* prefix can be set which will survive a reboot. On the Vivo V7 device, when the persist.sys.input.log property is set to have a value of yes, the user's screen touches be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage via a different known vulnerability on the device. The READ_EXTERNAL_STORAGE permission is necessary to access the log files containing the user's touch coordinates. With some effort, the user's touch coordinates can be mapped to key presses on a keyboard.
CVE-2018-15001 1 Vivo 2 V7, V7 Firmware 2019-02-07 2.1 LOW 5.5 MEDIUM
The Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.bsptest (versionCode=1, versionName=1.0) containing an exported activity app component named com.vivo.bsptest.BSPTestActivity that allows any app co-located on the device to initiate the writing of the logcat log, bluetooth log, and kernel log to external storage. When logging is enabled, there is a notification in the status bar, so it is not completely transparent to the user. The user can cancel the logging, but it can be re-enabled since the app with a package name of com.vivo.bsptest cannot be disabled. The writing of these logs can be initiated by an app co-located on the device, although the READ_EXTERNAL_STORAGE permission is necessary to for an app to access the log files.
CVE-2018-19863 1 Agilebits 1 1password 2019-02-05 2.1 LOW 5.5 MEDIUM
An issue was discovered in 1Password 7.2.3.BETA before 7.2.3.BETA-3 on macOS. A mistake in error logging resulted in instances where sensitive data passed from Safari to 1Password could be logged locally on the user's machine. This data could include usernames and passwords that a user manually entered into Safari.
CVE-2018-19786 1 Hashicorp 1 Vault 2018-12-27 4.3 MEDIUM 8.1 HIGH
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported.
CVE-2018-14700 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 5.0 MEDIUM 7.5 HIGH
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
CVE-2018-17447 1 Citrix 2 Netscaler Sd-wan, Sd-wan 2018-12-17 5.0 MEDIUM 7.5 HIGH
An Information Exposure Through Log Files issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4.
CVE-2018-16049 1 Gitlab 1 Gitlab 2018-12-04 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message.