Filtered by vendor
Subscriptions
Total
685 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-43432 | 1 Moodle | 1 Moodle | 2024-11-12 | 5.3 Medium |
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. | ||||
CVE-2024-8013 | 1 Mongodb | 2 Mongo Crypt V1.so, Mongocryptd | 2024-10-31 | 2.2 Low |
A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions. | ||||
CVE-2024-7531 | 1 Mozilla | 2 Firefox, Firefox Esr | 2024-10-31 | 6.3 Medium |
Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1. | ||||
CVE-2024-50624 | 1 Kde | 1 Kmail | 2024-10-31 | 5.9 Medium |
ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. | ||||
CVE-2024-35495 | 2024-10-30 | 4.3 Medium | ||
An Information Disclosure vulnerability in the Telemetry component in TP-Link Kasa KP125M V1.0.0 and Tapo P125M 1.0.0 Build 220930 Rel.143947 allows attackers to observe device state via observing network traffic. | ||||
CVE-2024-40595 | 1 Oneidentity | 1 Safeguard For Privileged Sessions | 2024-10-25 | 5.3 Medium |
An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext RDP protocol information. | ||||
CVE-2024-40090 | 1 Viloliving | 1 Vilo 5 Mesh Wifi System Firmware | 2024-10-23 | 4.3 Medium |
Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Information Disclosure. An information leak in the Boa webserver allows remote, unauthenticated attackers to leak memory addresses of uClibc and the stack via sending a GET request to the index page. | ||||
CVE-2024-47124 | 1 Gotenna | 1 Gotenna Pro | 2024-10-17 | 4.3 Medium |
The goTenna Pro App does not encrypt callsigns in messages. It is recommended to not use sensitive information in callsigns when using this and previous versions of the app and update your app to the current app version which uses AES-256 encryption for callsigns in encrypted operation. | ||||
CVE-2024-45838 | 1 Gotenna | 2 Gotenna, Pro Atak Plugin | 2024-10-17 | 4.3 Medium |
The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It is advised to not use sensitive information in callsigns when using this and previous versions of the plugin. Update to current plugin version which uses AES-256 encryption for callsigns in encrypted operation | ||||
CVE-2024-47833 | 1 Avaiga | 1 Taipy | 2024-10-16 | 6.5 Medium |
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2024-49387 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-10-16 | 7.5 High |
Cleartext transmission of sensitive information in acep-collector service. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690. | ||||
CVE-2024-38167 | 2 Microsoft, Redhat | 4 .net, Visual Studio, Visual Studio 2022 and 1 more | 2024-10-16 | 6.5 Medium |
.NET and Visual Studio Information Disclosure Vulnerability | ||||
CVE-2024-48788 | 1 Yescam | 1 Yescam Firmware | 2024-10-15 | 7.5 High |
An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
CVE-2024-47789 | 1 D3dsecurity | 1 D8801 | 2024-10-14 | N/A |
** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username and password. A remote attacker could exploit this vulnerability by crafting a HTTP packet leading to exposure of user credentials of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
CVE-2024-7713 | 1 Ays-pro | 2 Ai Chatbot With Chatgpt, Chatgpt Assistant | 2024-10-04 | 7.5 High |
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it | ||||
CVE-2024-43180 | 1 Ibm | 1 Concert | 2024-09-20 | 4.3 Medium |
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
CVE-2024-41927 | 1 Idec | 182 Ft1a-b12ra, Ft1a-b12ra Firmware, Ft1a-b24ra and 179 more | 2024-09-19 | 4.6 Medium |
Cleartext transmission of sensitive information vulnerability exists in multiple IDEC PLCs. If an attacker sends a specific command to PLC's serial communication port, user credentials may be obtained. As a result, the program of the PLC may be obtained, and the PLC may be manipulated. | ||||
CVE-2024-44105 | 1 Ivanti | 2 Automation, Workspace Control | 2024-09-18 | 8.2 High |
Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to obtain OS credentials. | ||||
CVE-2024-8059 | 2024-09-14 | 4.3 Medium | ||
IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters. | ||||
CVE-2024-45101 | 1 Lenovo | 1 Xclarity Administrator | 2024-09-14 | 6.8 Medium |
A privilege escalation vulnerability was discovered when Single Sign On (SSO) is enabled that could allow an attacker to intercept a valid, authenticated LXCA user’s XCC session if they can convince the user to click on a specially crafted URL. |