Filtered by CWE-200
Filtered by vendor Subscriptions
Total 8850 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-2408 1 Mattermost 1 Mattermost 2024-12-07 4.3 Medium
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.
CVE-2023-27265 1 Mattermost 1 Mattermost Server 2024-12-07 2.7 Low
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
CVE-2023-27266 1 Mattermost 1 Mattermost Server 2024-12-07 2.7 Low
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
CVE-2023-1562 1 Mattermost 1 Mattermost 2024-12-07 3.5 Low
Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.
CVE-2023-1775 1 Mattermost 1 Mattermost Server 2024-12-07 4.3 Medium
When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.
CVE-2023-1777 1 Mattermost 1 Mattermost Server 2024-12-07 6.5 Medium
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
CVE-2023-1831 1 Mattermost 1 Mattermost Server 2024-12-07 7.2 High
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
CVE-2023-2281 1 Mattermost 1 Mattermost Server 2024-12-07 3.1 Low
When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team.
CVE-2023-2514 1 Mattermost 1 Mattermost 2024-12-07 6.7 Medium
Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. 
CVE-2023-2792 1 Mattermost 1 Mattermost 2024-12-07 6.5 Medium
Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command.
CVE-2024-11159 2 Mozilla, Redhat 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more 2024-12-06 5.3 Medium
Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1.
CVE-2024-11292 1 Wordpress 1 Wp Private Content Plus Plugin 2024-12-06 5.3 Medium
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
CVE-2023-2991 1 Globalscape 1 Eft Server 2024-12-06 5.3 Medium
Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message
CVE-2023-25500 1 Vaadin 1 Vaadin 2024-12-05 3.5 Low
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
CVE-2023-25499 1 Vaadin 1 Vaadin 2024-12-05 5.7 Medium
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
CVE-2023-32360 2 Apple, Redhat 6 Macos, Enterprise Linux, Rhel Aus and 3 more 2024-12-05 5.5 Medium
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents.
CVE-2024-54134 2024-12-05 N/A
A publish-access account was compromised for `@solana/web3.js`, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 3, 2024. These two unauthorized versions (1.95.6 and 1.95.7) were caught within hours and have since been unpublished. All Solana app developers should upgrade to version 1.95.8. Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on.
CVE-2023-33201 2 Bouncycastle, Redhat 10 Bc-java, Amq Broker, Amq Streams and 7 more 2024-12-04 5.3 Medium
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CVE-2023-40735 1 Butterfly-button 1 Butterfly Button 2024-12-04 7.5 High
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cavo – Connecting for a Safer World BUTTERFLY BUTTON (Architecture flaw) allows loss of plausible deniability and confidentiality.This issue affects BUTTERFLY BUTTON: As of 2023-08-21.
CVE-2024-7391 1 Chargepoint 2 Home Flex, Home Flex Firmware 2024-12-04 5.7 Medium
ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability. The specific flaw exists within the Wi-Fi setup logic. By connecting to the device over Bluetooth Low Energy during the setup process, an attacker can obtain Wi-Fi credentials. An attacker can leverage this vulnerability to disclose credentials and gain access to the device owner's Wi-Fi network. Was ZDI-CAN-21454.