Vulnerabilities (CVE)

Filtered by CWE-209
Total 285 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-37162 2024-06-07 N/A 4.0 MEDIUM
zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.
CVE-2024-36106 2024-06-07 N/A 4.3 MEDIUM
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
CVE-2024-36375 2024-05-29 N/A 5.3 MEDIUM
In JetBrains TeamCity before 2024.03.2 technical information regarding TeamCity server could be exposed
CVE-2024-21313 1 Microsoft 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more 2024-05-29 N/A 5.3 MEDIUM
Windows TCP/IP Information Disclosure Vulnerability
CVE-2024-35232 2024-05-28 N/A 3.7 LOW is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2.
CVE-2024-2009 2024-05-17 5.0 MEDIUM 5.3 MEDIUM
A vulnerability was found in Nway Pro 9. It has been rated as problematic. Affected by this issue is the function ajax_login_submit_form of the file login\index.php of the component Argument Handler. The manipulation of the argument rsargs[] leads to information exposure through error message. The attack may be launched remotely. VDB-255266 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2020-9351 1 Smartclient 1 Smartclient 2024-05-17 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the absolute path). NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."
CVE-2019-12215 1 Matomo 1 Matomo 2024-05-17 4.0 MEDIUM 4.3 MEDIUM
A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities.
CVE-2015-10012 1 Sumocoders 1 Frameworkuserbundle 2024-05-17 2.7 LOW 7.5 HIGH
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in sumocoders FrameworkUserBundle up to 1.3.x. It has been rated as problematic. Affected by this issue is some unknown functionality of the file Resources/views/Security/login.html.twig. The manipulation leads to information exposure through error message. Upgrading to version 1.4.0 is able to address this issue. The name of the patch is abe4993390ba9bd7821ab12678270556645f94c8. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217268. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-23474 2024-05-06 N/A 3.7 LOW
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 245403.
CVE-2023-25948 1 Honeywell 4 Direct Station, Engineering Station, Experion Server and 1 more 2024-04-22 N/A 7.5 HIGH
Server information leak of configuration data when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning.
CVE-2024-28939 2024-04-10 N/A 8.8 HIGH
Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29059 2024-04-04 N/A 7.5 HIGH
.NET Framework Information Disclosure Vulnerability
CVE-2022-32756 1 Ibm 1 Security Verify Directory 2024-04-01 N/A 2.7 LOW
IBM Security Verify Directory 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 228507.
CVE-2024-21733 1 Apache 1 Tomcat 2024-02-16 N/A 5.3 MEDIUM
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
CVE-2024-21866 1 Rapidscada 1 Rapid Scada 2024-02-07 N/A 5.3 MEDIUM
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request.
CVE-2023-6944 2 Linuxfoundation, Redhat 2 Backstage, Red Hat Developer Hub 2024-02-04 N/A 5.7 MEDIUM
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
CVE-2024-22646 1 Seopanel 1 Seo Panel 2024-02-03 N/A 5.3 MEDIUM
An email address enumeration vulnerability exists in the password reset function of SEO Panel version 4.10.0. This allows an attacker to guess which emails exist on the system.
CVE-2024-21619 1 Juniper 105 Ex2200, Ex2200-c, Ex2200-vc and 102 more 2024-01-31 N/A 7.5 HIGH
A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.
CVE-2024-23689 1 Clickhouse 1 Java Libraries 2024-01-26 N/A 8.8 HIGH
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.