Vulnerabilities (CVE)

Filtered by CWE-200
Total 7617 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-32925 1 Chamilo 1 Chamilo 2022-05-16 5.5 MEDIUM 6.5 MEDIUM
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
CVE-2022-25990 1 F5 1 F5os-a 2022-05-16 5.0 MEDIUM 5.3 MEDIUM
On 1.0.x versions prior to 1.0.1, systems running F5OS-A software may expose certain registry ports externally. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2017-4966 3 Debian, Pivotal Software, Vmware 3 Debian Linux, Rabbitmq, Rabbitmq 2022-05-15 2.1 LOW 7.8 HIGH
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack.
CVE-2022-21673 2 Fedoraproject, Grafana 2 Fedora, Grafana 2022-05-14 3.5 LOW 4.3 MEDIUM
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.
CVE-2021-39020 1 Ibm 1 Guardium Data Encryption 2022-05-13 5.0 MEDIUM 5.3 MEDIUM
IBM Guardium Data Encryption (GDE) and lower stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 213855.
CVE-2016-5597 1 Oracle 2 Jdk, Jre 2022-05-13 4.3 MEDIUM 5.9 MEDIUM
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality via vectors related to Networking.
CVE-2017-10356 1 Oracle 2 Jdk, Jre 2022-05-13 2.1 LOW 6.2 MEDIUM
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2021-39888 1 Gitlab 1 Gitlab 2022-05-13 4.0 MEDIUM 4.3 MEDIUM
In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates.
CVE-2022-27875 1 F5 1 Access For Android 2022-05-12 4.3 MEDIUM 5.5 MEDIUM
On F5 Access for Android 3.x versions prior to 3.0.8, a Task Hijacking vulnerability exists in the F5 Access for Android application, which may allow an attacker to steal sensitive user information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2020-17527 4 Apache, Debian, Netapp and 1 more 12 Tomcat, Debian Linux, Element Plug-in and 9 more 2022-05-12 5.0 MEDIUM 7.5 HIGH
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
CVE-2021-28169 4 Debian, Eclipse, Netapp and 1 more 8 Debian Linux, Jetty, Active Iq Unified Manager and 5 more 2022-05-12 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-34589 1 Bender 4 Cc612, Cc612 Firmware, Cc613 and 1 more 2022-05-12 5.0 MEDIUM 7.5 HIGH
In Bender/ebee Charge Controllers in multiple versions are prone to an RFID leak. The RFID of the last charge event can be read without authentication via the web interface.
CVE-2022-0882 1 Google 1 Fuchsia 2022-05-11 2.1 LOW 5.5 MEDIUM
A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT. It is recommended to upgrade the Fuchsia kernel to 4.1.1 or greater.
CVE-2022-20734 1 Cisco 1 Sd-wan Vmanage 2022-05-11 4.9 MEDIUM 4.4 MEDIUM
A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, local attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.
CVE-2022-25787 1 Secomea 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more 2022-05-11 4.6 MEDIUM 6.7 MEDIUM
Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection. This issue affects: Secomea GateManager all versions prior to 9.7.
CVE-2022-28774 2022-05-11 N/A N/A
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted.
CVE-2021-22134 2 Elastic, Oracle 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite 2022-05-10 4.0 MEDIUM 4.3 MEDIUM
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
CVE-2022-22277 1 Sonicwall 98 Nsa 2650, Nsa 2650 Firmware, Nsa 2700 and 95 more 2022-05-06 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in SonicOS SNMP service resulting exposure of Wireless Access Point sensitive information in cleartext.
CVE-2022-22276 1 Sonicwall 98 Nsa 2650, Nsa 2650 Firmware, Nsa 2700 and 95 more 2022-05-06 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in SonicOS SNMP service resulting exposure of sensitive information to an unauthorized user.
CVE-2022-24866 1 Discourse 1 Assign 2022-05-06 4.0 MEDIUM 4.3 MEDIUM
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.