Total
762 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-25604 | 1 Fortinet | 1 Fortiguest | 2024-02-28 | N/A | 5.5 MEDIUM |
An insertion of sensitive information into log file vulnerability in Fortinet FortiGuest 1.0.0 allows a local attacker to access plaintext passwords in the RADIUS logs. | |||||
CVE-2020-24804 | 1 Cms-dev | 1 Cms | 2024-02-28 | N/A | 6.5 MEDIUM |
Plaintext Password vulnerability in AddAdmin.py in cms-dev/cms v1.4.rc1, allows attackers to gain sensitive information via audit logs. | |||||
CVE-2023-45809 | 1 Torchbox | 1 Wagtail | 2024-02-28 | N/A | 2.7 LOW |
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-39447 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Guided Configuration | 2024-02-28 | N/A | 4.4 MEDIUM |
When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2023-4380 | 1 Redhat | 4 Ansible Automation Platform, Ansible Developer, Ansible Inside and 1 more | 2024-02-28 | N/A | 6.3 MEDIUM |
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. | |||||
CVE-2023-36494 | 1 F5 | 1 F5os-a | 2024-02-28 | N/A | 4.4 MEDIUM |
Audit logs on F5OS-A may contain undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2021-32050 | 1 Mongodb | 5 C\+\+, C Driver, Node.js and 2 more | 2024-02-28 | N/A | 7.5 HIGH |
Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). | |||||
CVE-2023-45241 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2024-02-28 | N/A | 5.5 MEDIUM |
Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35739, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 37391. | |||||
CVE-2023-32468 | 1 Dell | 1 Ecs Streamer | 2024-02-28 | N/A | 4.9 MEDIUM |
Dell ECS Streamer, versions prior to 2.0.7.1, contain an insertion of sensitive information in log files vulnerability. A remote malicious high-privileged user could potentially exploit this vulnerability leading to exposure of this sensitive data. | |||||
CVE-2023-31417 | 1 Elastic | 1 Elasticsearch | 2024-02-28 | N/A | 4.4 MEDIUM |
Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. | |||||
CVE-2023-3363 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 3.8 LOW |
An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to `default`. | |||||
CVE-2023-26023 | 1 Ibm | 1 Cloud Pak For Data | 2024-02-28 | N/A | 7.5 HIGH |
Planning Analytics Cartridge for Cloud Pak for Data 4.0 exposes sensitive information in logs which could lead an attacker to exploit this vulnerability to conduct further attacks. IBM X-Force ID: 247896. | |||||
CVE-2023-32491 | 1 Dell | 1 Powerscale Onefs | 2024-02-28 | N/A | 6.5 MEDIUM |
Dell PowerScale OneFS 9.5.0.x, contains an insertion of sensitive information into log file vulnerability in SNMPv3. A low privileges user could potentially exploit this vulnerability, leading to information disclosure. | |||||
CVE-2023-46667 | 1 Elastic | 1 Fleet Server | 2024-02-28 | N/A | 8.1 HIGH |
An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enrol agents to the clusters and send arbitrary events to Elasticsearch. | |||||
CVE-2023-40442 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-02-28 | N/A | 3.3 LOW |
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8. An app may be able to read sensitive location information. | |||||
CVE-2023-32447 | 1 Dell | 10 Latitude 3420, Latitude 3440, Latitude 5440 and 7 more | 2024-02-28 | N/A | 5.5 MEDIUM |
Dell Wyse ThinOS versions prior to 2306 (9.4.2103) contain a sensitive information disclosure vulnerability. A malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files. | |||||
CVE-2023-5339 | 1 Mattermost | 1 Mattermost Desktop | 2024-02-28 | N/A | 5.5 MEDIUM |
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||||
CVE-2023-20891 | 1 Vmware | 2 Isolation Segment, Tanzu Application Service For Virtual Machines | 2024-02-28 | N/A | 6.5 MEDIUM |
The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs. | |||||
CVE-2023-40392 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-02-28 | N/A | 3.3 LOW |
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.5. An app may be able to read sensitive location information. | |||||
CVE-2023-46668 | 1 Elastic | 1 Endpoint | 2024-02-28 | N/A | 9.1 CRITICAL |
If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext. These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts. |