Insecure Storage of Sensitive InformationCWE-922
| CVE ID | CVSS | Vendor | Exploit | Patch | Trends |
|---|---|---|---|---|---|
CVE-2024-7569An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information. | CVSS 9.8 | Ivanti | - | Patched |  |
CVE-2024-6916A vulnerability in Zowe CLI allows local, privileged actors to display securely stored properties in cleartext within a terminal using the '--show-inputs-only' flag. | CVSS 5.5 | Linuxfoundation, et al | - | - |  |
CVE-2024-6295udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn. | CVSS 3.9 | - | - |  | |
CVE-2024-5288An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys,
such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery. | CVSS 5.1 | Wolfssl | - | - |  |
CVE-2024-52519Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7. | CVSS 2.7 | Nextcloud | - | - |  |
CVE-2024-5206A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer. | CVSS 4.7 | Ibm, et al | - | Patched |  |
CVE-2024-51399Altai Technologies Ltd Altai IX500 Indoor 22 802.11ac Wave 2 AP After login, there are file reads in the background, and attackers can obtain sensitive information such as user credentials, system configuration, and database connection strings, which can lead to data breaches and identity theft. | CVSS 5.7 | - | - |  | |
CVE-2024-48939Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. Attackers may be able to retrieve access-log data. | CVSS 7.5 | - | - |  | |
CVE-2024-48770An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process. | CVSS 8.2 | - | - |  | |
CVE-2024-48353Yealink Meeting Server before V26.0.0.67 allows attackers to obtain static key information from a front-end JS file and decrypt the plaintext passwords based on the obtained key information. | CVSS 7.5 | Yealink | - | Patched |  |
CVE-2024-48352Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID. | CVSS 7.5 | Yealink | - | Patched |  |
CVE-2024-47197Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin.
This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0.
Users are recommended to upgrade to version 3.3.0, which fixes the issue.
Archetype integration testing creates a file
called ./target/classes/archetype-it/archetype-settings.xml
This file contains all the content from the users ~/.m2/settings.xml file,
which often contains information they do not want to publish. We expect that on many developer machines, this also contains
credentials.
When the user runs mvn verify again (without a mvn clean), this file becomes part of
the final artifact.
If a developer were to publish this into Maven Central or any other remote repository (whether as a release
or a snapshot) their credentials would be published without them knowing. | CVSS 7.5 | Apache | - | Patched |  |
CVE-2024-47122In the goTenna Pro App, the encryption keys are stored along with a
static IV on the End User Device (EUD). This allows for complete
decryption of keys stored on the EUD if physically compromised. This
allows an attacker to decrypt all encrypted broadcast communications
based on encryption keys stored on the EUD. This requires access to and
control of the EUD, so it is recommended to use strong access control
measures and layered encryption on the EUD for more secure operation. | CVSS 6.5 | - | - |  | |
CVE-2024-46635An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter. | CVSS 5.9 | - | - |  | |
CVE-2024-45374The goTenna Pro ATAK plugin uses a weak password for sharing encryption
keys via the key broadcast method. If the broadcasted encryption key is
captured over RF, and password is cracked via brute force attack, it is
possible to decrypt it and use it to decrypt all future and past
messages sent via encrypted broadcast with that particular key. This
only applies when the key is broadcasted over RF. This is an optional
feature, so it is advised to use local QR encryption key sharing for
additional security on this and previous versions. | CVSS 6.5 | - | - |  | |
CVE-2024-44275Description: A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges.Impact: An attacker with root privileges may be able to delete protected system files | CVSS 3.3 | Apple | - | Patched |  |
CVE-2024-44263Description: A logic issue was addressed with improved state management.Impact: An app may be able to access user-sensitive data | CVSS 4 | Apple | - | Patched |  |
CVE-2024-44257Description: This issue was addressed with improved redaction of sensitive information.Impact: An app may be able to access sensitive user data | CVSS 6.2 | Apple | - | Patched |  |
CVE-2024-44222Description: This issue was addressed with improved redaction of sensitive information.Impact: An app may be able to read sensitive location information | CVSS 3.3 | Apple | - | Patched |  |
CVE-2024-44216Description: An access issue was addressed with additional sandbox restrictions.Impact: An app may be able to access user-sensitive data | CVSS 6.2 | Apple | - | Patched |  |
CVE-2024-44213Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.Impact: An attacker in a privileged network position may be able to leak sensitive user information | CVSS 5.9 | Apple | - | Patched |  |
CVE-2024-44175Description: This issue was addressed with improved validation of symlinks.Impact: An app may be able to access sensitive user data | CVSS 5.5 | Apple | - | Patched |  |
CVE-2024-44174Description: The issue was addressed with improved checks.Impact: An attacker may be able to view restricted content from the lock screen | CVSS 5.5 | Apple | - | Patched |  |
CVE-2024-43694In the goTenna Pro ATAK Plugin application, the encryption keys are
stored along with a static IV on the device. This allows for complete
decryption of keys stored on the device. This allows an attacker to
decrypt all encrypted broadcast communications based on broadcast keys
stored on the device. | CVSS 6.5 | - | - |  | |
CVE-2024-43427A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party. | CVSS MEDIUM | Moodle | - | Patched |  |
CVE-2024-42677An issue in Huizhi enterprise resource management system v.1.0 and before allows a local attacker to obtain sensitive information via the /nssys/common/filehandle. Aspx component | CVSS 5.5 | Exploit | - |  | |
CVE-2024-42018An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC configuration. Because these parameters are needed for initialization, there is no available mechanism to ensure access control on the management node, and a mitigation measure is normally put in place to prevent access to unprivileged users. It was discovered that this mitigation measure does not survive a reboot of diskful nodes. (Diskless nodes are not at risk.) The mistake lies in the cloudinit configuration: the iptables configuration should have been in the bootcmd instead of the runcmd section. | CVSS 7.7 | Atos | - | - |  |
CVE-2024-40832The issue was addressed with improved checks.An app may be able to view a contact's phone number in system logs | CVSS 3.3 | Apple | - | Patched |  |
CVE-2024-40813A lock screen issue was addressed with improved state management.An attacker with physical access may be able to use Siri to access sensitive user data | CVSS 4.6 | Apple | - | Patched |  |
CVE-2024-39775in OpenHarmony v4.1.0 and prior versions allow a remote attacker cause information leak through out-of-bounds Read. | CVSS 7.5 | Openatom, et al | - | Patched |  |
CVE-2024-39612in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read. | CVSS 5.5 | Openatom, et al | - | Patched |  |
CVE-2024-39459When creating secret file credentials Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be stored unencrypted (only Base64 encoded) on the Jenkins controller file system. These credentials can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials). Plain Credentials Plugin 183.va_de8f1dd5a_2b_ no longer attempts to decrypt the content of the file when creating secret file credentials. | CVSS 4.3 | Jenkins | - | Patched |  |
CVE-2024-39339A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity. | CVSS 7.5 | Toyota | - | - |  |
CVE-2024-38453The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | CVSS 7.5 | Salesforce | - | - |  |
CVE-2024-38382in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read. | CVSS 5.5 | Openatom, et al | - | Patched |  |
CVE-2024-38312When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127. | CVSS 6.5 | Mozilla | - | Patched |  |
CVE-2024-37728Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface | CVSS 7.5 | - | - |  | |
CVE-2024-36788Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices. | CVSS 4.8 | Netgear | Exploit | - |  |
CVE-2024-35526An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory. | CVSS 5.9 | - | - |  | |
CVE-2024-3502In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6. | CVSS 8.1 | Lunary | - | Patched |  |
CVE-2024-3501In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated. | CVSS 8.1 | Lunary | - | Patched |  |
CVE-2024-34721In ensureFileColumns of MediaProvider.java, there is a possible disclosure of files owned by another user due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | CVSS 6.2 | - | Patched |  | |
CVE-2024-34677Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate. | CVSS 3.3 | Samsung | - | Patched |  |
CVE-2024-3334A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device thereby compromising the confidentiality of the stored data. | CVSS 4.3 | Digitalguardian | - | - |  |
CVE-2024-33004SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | CVSS 4.3 | Sap | - | - |  |
CVE-2024-32236An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component. | CVSS 3.5 | Cmseasy | - | - |  |
CVE-2024-32211An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components. | CVSS 5.5 | - | - |  | |
CVE-2024-31400Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail. | CVSS 6.5 | Cybozu | - | - |  |
CVE-2024-30917An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component. | CVSS 5.5 | Eprosima | - | - |  |
CVE-2024-30132HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors. | CVSS 3.7 | Hcltech | - | - |  |
CVE-2024-29968An information disclosure vulnerability exists in Brocade SANnav before v2.3.1 and v2.3.0a when Brocade SANnav instances are configured in disaster recovery mode. SQL Table names, column names, and SQL queries are collected in DR standby Supportsave. This could allow authenticated users to access the database structure and its contents.
| CVSS 7.7 | Broadcom | - | - |  |
CVE-2024-29965
In Brocade SANnav before v2.3.1, and v2.3.0a, it is possible to back up the appliance from the web interface or the command line interface ("SSH"). The resulting backups are world-readable. A local attacker can recover backup files, restore them to a new malicious appliance, and retrieve the passwords of all the switches.
| CVSS 6.8 | Broadcom | - | - |  |
CVE-2024-29953A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms.
This could allow an authenticated user to view other users' session encoded passwords. | CVSS 4.3 | Brocade | - | Patched |  |
CVE-2024-29120In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
| CVSS 5.9 | Apache | - | - |  |
CVE-2024-28808An issue was discovered in Infinera hiT 7300 5.60.50. Hidden functionality in the web interface allows a remote authenticated attacker to access reserved information by accessing undocumented web applications. | CVSS 2.7 | - | - |  | |
CVE-2024-28132
Exposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
| CVSS 4.4 | - | - |  | |
CVE-2024-28069A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component. | CVSS Low | Mitel | - | - |  |
CVE-2024-27789A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data. | CVSS 5.3 | Apple | - | Patched |  |
CVE-2024-26559An issue in uverif v.2.0 allows a remote attacker to obtain sensitive information. | CVSS 5.3 | - | - |  | |
CVE-2024-25728ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users. | CVSS 7.5 | Expressvpn | - | Patched |  |
CVE-2024-25655Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP. | CVSS 6.5 | - | - |  | |
CVE-2024-25360A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip. | CVSS 5.3 | Motorola | - | - |  |
CVE-2024-23561HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values.
| CVSS 4.3 | - | - |  | |
CVE-2024-23445It was identified that if a <a href="https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body">cross-cluster API key</a> restricts search for a given index using the <code>query</code> or the <code>field_security</code> parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned | CVSS 6.5 | Elastic | - | Patched |  |
CVE-2024-23241This issue was addressed through improved state management. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. An app may be able to leak sensitive user information. | CVSS 6.5 | Apple | - | Patched |  |
CVE-2024-23229This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data. | CVSS 5.5 | Apple | - | Patched |  |
CVE-2024-22808An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router via overwriting the card's name in the device memory. | CVSS 7.5 | - | - |  | |
CVE-2024-22773Intelbras Action RF 1200 routers 1.2.2 and earlier and Action RG 1200 routers 2.1.7 and earlier expose the Password in Cookie resulting in Login Bypass. | CVSS 8.1 | Intelbras | Exploit | - |  |
CVE-2024-22371Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.
Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
| CVSS 2.9 | Apache | - | Patched |  |
CVE-2024-22193The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0. | CVSS 4.3 | Vantage6 | - | Patched |  |
CVE-2024-21826in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage. | CVSS 4.3 | Openharmony | - | - |  |
CVE-2024-21258Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | CVSS 5.3 | Oracle | - | Patched |  |
CVE-2024-21211Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). | CVSS 3.7 | Oracle | - | Patched |  |
CVE-2024-20462A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device.
This vulnerability is due to incorrect sanitization of HTML content from an affected device. A successful exploit could allow the attacker to view passwords that belong to other users. | CVSS 5.5 | Cisco | - | Patched |  |
CVE-2024-20050In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541757. | CVSS 4.4 | Mediatek | - | - |  |
CVE-2024-1936The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1. | CVSS 7.5 | Mozilla | - | Patched |  |
CVE-2024-10943An
authentication bypass vulnerability exists in the affected product. The
vulnerability exists due to shared secrets across accounts and could allow a threat
actor to impersonate a user if the threat actor is able to enumerate additional
information required during authentication. | CVSS 9.1 | Apache | - | - |  |
CVE-2024-10041A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. | CVSS 4.7 | Linux-pam | - | - |  |
CVE-2024-10028The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site's backup. | CVSS 7.5 | Everestthemes, et al | - | Patched |  |
CVE-2023-6460A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue | CVSS 4 | - | Patched |  | |
CVE-2023-6253A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.
| CVSS 6 | Fortra | Exploit | - |  |
CVE-2023-5879Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. This allows the attacker, with access to the android device, to potentially retrieve users' clear text authentication credentials.
| CVSS 6.8 | Geniecompany | - | Patched |  |
CVE-2023-50298Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides.
An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,
then send a streaming expression using the mock server's address in "zkHost".
Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.
| CVSS 7.5 | Apache | - | Patched |  |
CVE-2023-49515Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components. | CVSS 4.6 | Tp-link | Exploit | - |  |
CVE-2023-45184IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270. | CVSS 6.2 | Ibm | Exploit | Patched |  |
CVE-2023-45182
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.
| CVSS 7.4 | Ibm | Exploit | Patched |  |
CVE-2023-42913This issue was addressed through improved state management.Remote Login sessions may be able to obtain full disk access permissions | CVSS 8.8 | Apple | - | Patched |  |
CVE-2023-42840The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. | CVSS 4.3 | Apple | - | Patched |  |
CVE-2023-42823The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data. | CVSS 2.7 | Apple | - | Patched |  |
CVE-2023-41965** UNSUPPPORTED WHEN ASSIGNED **
Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.
| CVSS 7.5 | Socomec | - | - |  |
CVE-2023-41723A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes. | CVSS 4.3 | Veeam | - | Patched |  |
CVE-2023-40728A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition. | CVSS 7.3 | - | - |  | |
CVE-2023-37563ELECOM wireless LAN routers are vulnerable to sensitive information exposure, which allows a network-adjacent unauthorized attacker to obtain sensitive information. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, WRC-1167FEBK-A v1.18 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1467GHBK-S all versions, WRC-1900GHBK-A all versions, and WRC-1900GHBK-S all versions. | CVSS 6.5 | Elecom | - | Patched |  |
CVE-2023-37521HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower can sometimes include sensitive information in a query string which could allow an attacker to execute a malicious attack.
| CVSS 5.3 | Hcltechsw | - | Patched |  |
CVE-2023-37439Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to
obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.
| CVSS 6.1 | Arubanetworks | - | Patched |  |
CVE-2023-34056vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data. | CVSS 4.3 | Vmware | - | Patched |  |
CVE-2023-32191When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin. | CVSS 9.9 | Suse | - | Patched |  |
CVE-2023-32184A Insecure Storage of Sensitive Information vulnerability in openSUSE opensuse-welcome allows local attackers to execute code as the user that runs opensuse-welcome if a custom layout is chosen
This issue affects opensuse-welcome: from 0.1 before 0.1.9+git.35.4b9444a.
| CVSS 7.8 | Opensuse | Exploit | Patched |  |
CVE-2023-31150
A Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords.
See SEL Service Bulletin dated 2022-11-15 for more details.
| CVSS 6.5 | - | Patched |  | |
CVE-2023-3064Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.
| CVSS 5.3 | Mobatime | Exploit | - |  |