ReportizFlow
Filtered by vendor
Subscriptions
Total
9410 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50872 | 1 Accredible Credential.net | 1 Accredible Credential.net | 2025-06-03 | 7.5 High |
| The API in Accredible Credential.net December 6th, 2023 allows an Insecure Direct Object Reference attack that discloses partial information about certificates and their respective holder. NOTE: the excellium-services.com web page about this issue mentions "Vendor says that it's not a security issue." | ||||
| CVE-2025-5436 | 2025-06-02 | 5.3 Medium | ||
| A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has been rated as problematic. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-31231 | 1 Apple | 1 Macos | 2025-06-02 | 5.5 Medium |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive location information. | ||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2025-06-02 | 4.3 Medium |
| A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability. | ||||
| CVE-2023-45236 | 2 Redhat, Tianocore | 3 Enterprise Linux, Rhel Eus, Edk2 | 2025-06-02 | 5.8 Medium |
| EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. | ||||
| CVE-2023-50431 | 1 Linux | 1 Linux Kernel | 2025-05-31 | 5.5 Medium |
| sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized. | ||||
| CVE-2023-44312 | 1 Apache | 1 Servicecomb | 2025-05-30 | 5.8 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center.This issue affects Apache ServiceComb Service-Center before 2.1.0 (include). Users are recommended to upgrade to version 2.2.0, which fixes the issue. | ||||
| CVE-2025-5334 | 2025-05-30 | 7.5 High | ||
| Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and earlier | ||||
| CVE-2025-4659 | 2025-05-30 | 5.3 Medium | ||
| The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2025-47288 | 2025-05-30 | 3.5 Low | ||
| Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1. A workaround involves moving any policy topics with private groups to restricted categories. | ||||
| CVE-2024-24720 | 1 Innovaphone | 1 Innovaphone Pbx | 2025-05-30 | 5.3 Medium |
| An issue was discovered in the Forgot password function in Innovaphone PBX before 14r1 devices. It provides information about whether a user exists on a system. | ||||
| CVE-2022-45167 | 1 Archibus | 1 Archibus Web Central | 2025-05-30 | 4.3 Medium |
| An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users. | ||||
| CVE-2024-0717 | 1 Dlink | 88 Dap-1360, Dap-1360 Firmware, Dir-1210 and 85 more | 2025-05-30 | 5.3 Medium |
| A vulnerability classified as critical was found in D-Link DAP-1360, DIR-300, DIR-615, DIR-615GF, DIR-615S, DIR-615T, DIR-620, DIR-620S, DIR-806A, DIR-815, DIR-815AC, DIR-815S, DIR-816, DIR-820, DIR-822, DIR-825, DIR-825AC, DIR-825ACF, DIR-825ACG1, DIR-841, DIR-842, DIR-842S, DIR-843, DIR-853, DIR-878, DIR-882, DIR-1210, DIR-1260, DIR-2150, DIR-X1530, DIR-X1860, DSL-224, DSL-245GR, DSL-2640U, DSL-2750U, DSL-G2452GR, DVG-5402G, DVG-5402G, DVG-5402GFRU, DVG-N5402G, DVG-N5402G-IL, DWM-312W, DWM-321, DWR-921, DWR-953 and Good Line Router v2 up to 20240112. This vulnerability affects unknown code of the file /devinfo of the component HTTP GET Request Handler. The manipulation of the argument area with the input notice|net|version leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-251542 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-23649 | 1 Join-lemmy | 1 Lemmy | 2025-05-30 | 7.5 High |
| Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports. Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported: Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance. Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied. | ||||
| CVE-2025-32703 | 1 Microsoft | 3 Visual Studio 2017, Visual Studio 2019, Visual Studio 2022 | 2025-05-30 | 5.5 Medium |
| Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-30224 | 2025-05-30 | N/A | ||
| MyDumper is a MySQL Logical Backup Tool. The MySQL C client library (libmysqlclient) allows authenticated remote actors to read arbitrary files from client systems via a crafted server response to LOAD LOCAL INFILE query, leading to sensitive information disclosure when clients connect to untrusted MySQL servers without explicitly disabling the local infile capability. Mydumper has the local infile option enabled by default and does not have an option to disable it. This can lead to an unexpected arbitrary file read if the Mydumper tool connects to an untrusted server. This vulnerability is fixed in 0.18.2-8. | ||||
| CVE-2022-34712 | 1 Microsoft | 4 Windows 10, Windows 11, Windows Server 2016 and 1 more | 2025-05-30 | 5.5 Medium |
| Windows Defender Credential Guard Information Disclosure Vulnerability | ||||
| CVE-2022-34710 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2025-05-30 | 5.5 Medium |
| Windows Defender Credential Guard Information Disclosure Vulnerability | ||||
| CVE-2022-34708 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2025-05-30 | 5.5 Medium |
| Windows Kernel Information Disclosure Vulnerability | ||||
| CVE-2024-56193 | 2025-05-29 | 5.1 Medium | ||
| There is a possible disclosure of Bluetooth adapter details due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||