Vulnerabilities (CVE)

Filtered by CWE-598
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21594 1 Dell 1 Emc Powerscale Onefs 2024-11-21 5.0 MEDIUM 8.2 HIGH
Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It can lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity.
CVE-2024-41738 1 Ibm 1 Txseries For Multiplatforms 2024-11-14 N/A 5.9 MEDIUM
IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques.
CVE-2024-38863 2024-10-15 N/A N/A
Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks.
CVE-2023-6287 1 Tribe29 1 Checkmk Appliance Firmware 2024-08-26 N/A 5.5 MEDIUM
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.
CVE-2023-50954 1 Ibm 1 Infosphere Information Server 2024-08-21 N/A 5.3 MEDIUM
IBM InfoSphere Information Server 11.7 returns sensitive information in URL information that could be used in further attacks against the system. IBM X-Force ID: 275776.
CVE-2024-32931 1 Johnsoncontrols 1 Exacqvision Web Service 2024-08-09 N/A 5.7 MEDIUM
Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.
CVE-2024-31206 2024-04-05 N/A 8.2 HIGH
dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.
CVE-2024-2745 2024-04-02 N/A 3.3 LOW
Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded.  This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.     The vulnerability is remediated in version 6.6.244. 
CVE-2024-28238 2024-03-13 N/A 2.3 LOW
Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-32335 2024-03-13 N/A 3.7 LOW
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.