Vulnerabilities (CVE)

Filtered by CWE-200
Total 7419 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21469 1 Sap 1 Netweaver Master Data Management 2024-02-28 5.0 MEDIUM 7.5 HIGH
When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure.
CVE-2020-9849 1 Apple 6 Icloud, Ipados, Itunes and 3 more 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.0, iOS 14.0 and iPadOS 14.0, iTunes for Windows 12.10.9, iCloud for Windows 11.5, tvOS 14.0. A remote attacker may be able to leak memory.
CVE-2020-27134 1 Cisco 2 Jabber, Jabber For Mobile Platforms 2024-02-28 9.0 HIGH 9.9 CRITICAL
Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2020-4913 1 Ibm 1 Cloud Pak System 2024-02-28 2.1 LOW 4.4 MEDIUM
IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. IBM X-Force ID: 191288.
CVE-2021-20656 1 Contec 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
Exposure of information through directory listing in SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an authenticated attacker to obtain the information inside the system, such as directories and/or file configurations via unspecified vectors.
CVE-2021-21512 1 Dell 1 Emc Powerprotect Cyber Recovery 2024-02-28 3.6 LOW 6.0 MEDIUM
Dell EMC PowerProtect Cyber Recovery, version 19.7.0.1, contains an Information Disclosure vulnerability. A locally authenticated high privileged Cyber Recovery user may potentially exploit this vulnerability leading to the takeover of the notification email account.
CVE-2021-21360 1 Zope 1 Products.genericsetup 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`.
CVE-2020-4079 1 Combodo 1 Itop 2024-02-28 4.0 MEDIUM 7.7 HIGH
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0.
CVE-2020-6570 4 Debian, Fedoraproject, Google and 1 more 5 Debian Linux, Fedora, Chrome and 2 more 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
Information leakage in WebRTC in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to obtain potentially sensitive information via a crafted WebRTC interaction.
CVE-2021-25332 1 Samsung 1 Pay Mini 2024-02-28 1.9 LOW 2.4 LOW
Improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to contacts information over the lockscreen in specific condition.
CVE-2021-21301 1 Wire 1 Wire 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75.
CVE-2021-20256 1 Redhat 1 Satellite 2024-02-28 4.6 MEDIUM 5.3 MEDIUM
A flaw was found in Red Hat Satellite. The BMC interface exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-15931 1 Netwrix 1 Account Lockout Examiner 2024-02-28 5.0 MEDIUM 7.5 HIGH
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller.
CVE-2020-4649 1 Ibm 1 Planning Analytics Local 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
IBM Planning Analytics Local 2.0.9.2 and IBM Planning Analytics Workspace 57 could expose data to non-privleged users by not invalidating TM1Web user sessions. IBM X-Force ID: 186022.
CVE-2020-4815 1 Ibm 1 Cloud Pak For Security 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote user to obtain sensitive information from HTTP response headers that could be used in further attacks against the system.
CVE-2021-25122 3 Apache, Debian, Oracle 12 Tomcat, Debian Linux, Agile Plm and 9 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
CVE-2020-27403 1 Tcl 14 32s330, 32s330 Firmware, 40s330 and 11 more 2024-02-28 3.3 LOW 6.5 MEDIUM
A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories. An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure. Also, some TV models and/or FW versions may expose the webserver with the entire filesystem accessible on another port. For example, nmap scan for all ports run directly from the TV model U43P6046 (Android 8.0) showed port 7983 not mentioned in the original CVE description, but containing the same directory listing of the entire filesystem. This webserver is bound (at least) to localhost interface and accessible freely to all unprivileged installed apps on the Android such as a regular web browser. Any app can therefore read any files of any other apps including Android system settings including sensitive data such as saved passwords, private keys etc.
CVE-2020-28199 1 Bestit 1 Amazon Pay 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
best it Amazon Pay Plugin before 9.4.2 for Shopware exposes Sensitive Information to an Unauthorized Actor.
CVE-2020-12496 1 Endress 8 Orsg35, Orsg35 Firmware, Orsg45 and 5 more 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.
CVE-2020-35934 1 Vasyltech 1 Advanced Access Manager 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).