Filtered by CWE-200
Filtered by vendor Subscriptions
Total 8850 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-45447 1 Huawei 2 Emui, Harmonyos 2024-09-06 4.4 Medium
Access control vulnerability in the camera framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-41108 1 Fogproject 1 Fogproject 2024-09-05 7.5 High
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" will be returned. The domainpassword in the hostinfo dump is hidden even to authenticated users, as it is displayed as a row of asterisks when navigating to the host's Active Directory settings. This vulnerability is fixed in 1.5.10.41.
CVE-2024-8106 1 Wpextended 1 Wp Extended 2024-09-05 6.5 Medium
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.8 via the download_user_ajax function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including usernames, hashed passwords, and emails.
CVE-2024-42435 1 Zoom 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more 2024-09-05 4.9 Medium
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.
CVE-2024-42434 1 Zoom 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more 2024-09-05 4.9 Medium
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.
CVE-2024-39824 1 Zoom 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more 2024-09-05 4.9 Medium
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.
CVE-2024-39823 1 Zoom 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more 2024-09-05 4.9 Medium
Sensitive information disclosure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.
CVE-2024-39822 1 Zoom 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more 2024-09-05 6.5 Medium
Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access.
CVE-2024-44820 1 Zzcms 1 Zzcms 2024-09-04 7.5 High
A sensitive information disclosure vulnerability exists in ZZCMS v.2023 and before within the eginfo.php file located at /3/E_bak5.1/upload/. When accessed with the query parameter phome=ShowPHPInfo, the application executes the phpinfo() function, which exposes detailed information about the PHP environment, including server configuration, loaded modules, and environment variables.
CVE-2024-41698 1 Priority-software 1 Priority 2024-09-03 4.3 Medium
Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-43803 1 Redhat 1 Openshift 2024-09-03 4.9 Medium
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the `Name` and `Namespace` of the Secret, meaning that versions of the baremetal-operator prior to 0.8.0, 0.6.2, and 0.5.2 will read a `Secret` from any namespace. A user with access to create or edit a `BareMetalHost` can thus exfiltrate a `Secret` from another namespace by using it as e.g. the `userData` for provisioning some host (note that this need not be a real host, it could be a VM somewhere). BMO will only read a key with the name `value` (or `userData`, `metaData`, or `networkData`), so that limits the exposure somewhat. `value` is probably a pretty common key though. Secrets used by _other_ `BareMetalHost`s in different namespaces are always vulnerable. It is probably relatively unusual for anyone other than cluster administrators to have RBAC access to create/edit a `BareMetalHost`. This vulnerability is only meaningful, if the cluster has users other than administrators and users' privileges are limited to their respective namespaces. The patch prevents BMO from accepting links to Secrets from other namespaces as BMH input. Any BMH configuration is only read from the same namespace only. The problem is patched in BMO releases v0.7.0, v0.6.2 and v0.5.2 and users should upgrade to those versions. Prior upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a workaround, an operator can configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces.
CVE-2024-41700 1 Barix 2 Sip Client Firmware, Sip Client Web Management Interface Ui 2024-09-03 7.5 High
Barix – CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-7925 1 Zzcms 1 Zzcms 2024-09-03 4.3 Medium
A vulnerability was found in ZZCMS 2023. It has been rated as problematic. This issue affects some unknown processing of the file 3/E_bak5.1/upload/eginfo.php. The manipulation of the argument phome with the input ShowPHPInfo leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-42337 1 Cyberark 1 Identity 2024-08-30 4.3 Medium
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-42338 1 Cyberark 1 Identity 2024-08-30 4.3 Medium
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-42339 1 Cyberark 1 Identity 2024-08-30 4.3 Medium
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-6633 1 Fortra 1 Filecatalyst Workflow 2024-08-30 9.8 Critical
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.
CVE-2024-7554 1 Gitlab 1 Gitlab 2024-08-29 4.9 Medium
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner.
CVE-2024-42493 1 Dorsettcontrols 1 Infoscan 2024-08-29 5.3 Medium
Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login.
CVE-2024-39287 1 Dorsettcontrols 1 Infoscan 2024-08-29 5.3 Medium
Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API keys.