Filtered by CWE-209
Filtered by vendor Subscriptions
Total 393 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-21619 1 Juniper 105 Ex2200, Ex2200-c, Ex2200-vc and 102 more 2024-11-21 5.3 Medium
A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.
CVE-2024-21313 1 Microsoft 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more 2024-11-21 5.3 Medium
Windows TCP/IP Information Disclosure Vulnerability
CVE-2023-6944 2 Linuxfoundation, Redhat 3 Backstage, Red Hat Developer Hub, Rhdh 2024-11-21 5.7 Medium
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
CVE-2023-6839 1 Wso2 1 Api Manager 2024-11-21 5.3 Medium
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.
CVE-2023-5514 1 Hitachienergy 1 Esoms 2024-11-21 5.3 Medium
The response messages received from the eSOMS report generation using certain parameter queries with full file path can be abused for enumerating the local file system structure.
CVE-2023-50953 1 Ibm 1 Infosphere Information Server 2024-11-21 5.4 Medium
IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. IBM X-Force ID: 275775.
CVE-2023-4457 1 Grafana 1 Google Sheets 2024-11-21 5.5 Medium
Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2.
CVE-2023-49878 1 Ibm 6 Virtualization Engine Ts7760 3957-vec, Virtualization Engine Ts7760 3957-vec Firmware, Virtualization Engine Ts7770 3948-ved and 3 more 2024-11-21 4.3 Medium
IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 272652.
CVE-2023-49107 3 Hitachi, Linux, Microsoft 3 Device Manager, Linux Kernel, Windows 2024-11-21 5.3 Medium
Generation of Error Message Containing Sensitive Information vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent modules).This issue affects Hitachi Device Manager: before 8.8.5-04.
CVE-2023-49080 1 Jupyter 1 Jupyter Server 2024-11-21 3.5 Low
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. A fix has been introduced in commit `0056c3aa52` which no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. This commit has been included in version 2.11.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48393 1 Kaifa 1 Webitr Attendance System 2024-11-21 4.3 Medium
Kaifa Technology WebITR is an online attendance system. A remote attacker with regular user privilege can obtain partial sensitive system information from error message.
CVE-2023-47703 3 Ibm, Linux, Microsoft 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more 2024-11-21 5.3 Medium
IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 271197.
CVE-2023-47636 1 Pimcore 1 Admin Classic Bundle 2024-11-21 5.3 Medium
The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)". This issue has been patched in commit `10d178ef771` which has been included in release version 1.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-47152 3 Ibm, Linux, Microsoft 5 Aix, Db2, Linux On Ibm Z and 2 more 2024-11-21 5.9 Medium
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions.
CVE-2023-46240 1 Codeigniter 1 Codeigniter 2024-11-21 7.5 High
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
CVE-2023-45701 1 Hcltechsw 1 Hcl Launch 2024-11-21 4.3 Medium
HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVE-2023-42475 1 Sap 1 S\/4hana 2024-11-21 4.3 Medium
The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.
CVE-2023-42013 1 Ibm 1 Urbancode Deploy 2024-11-21 5.3 Medium
IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 265510.
CVE-2023-41027 1 Juplink 2 Rx4-1500, Rx4-1500 Firmware 2024-11-21 8 High
Credential disclosure in the '/webs/userpasswd.htm' endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an authenticated attacker to leak the password for the administrative account via requests to the vulnerable endpoint.
CVE-2023-40767 1 Phpjabbers 1 Make An Offer Widget 2024-11-21 9.8 Critical
User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.