Total
222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20060 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information. | |||||
CVE-2019-19561 | 1 Harman | 1 Hermes | 2024-11-21 | 2.1 LOW | 2.4 LOW |
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information. | |||||
CVE-2019-19557 | 1 Harman | 1 Hermes | 2024-11-21 | 2.1 LOW | 2.4 LOW |
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information. | |||||
CVE-2019-14957 | 1 Jetbrains | 1 Vim | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository. | |||||
CVE-2019-13719 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||||
CVE-2019-13717 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||||
CVE-2019-12914 | 1 Rdbrck | 1 Shift | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. | |||||
CVE-2019-12911 | 1 Rdbrck | 1 Shift | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. | |||||
CVE-2019-12825 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo. | |||||
CVE-2018-25031 | 1 Smartbear | 1 Swagger Ui | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others. | |||||
CVE-2018-20886 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418). | |||||
CVE-2018-13313 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript contains the current user’s password in plaintext. | |||||
CVE-2017-7253 | 1 Dahuasecurity | 2 Ip Camera, Ip Camera Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During exploitation, the first JSON object encountered has a "Component error: login challenge!" message. The second JSON object encountered has a result indicating a successful admin login. | |||||
CVE-2017-6911 | 1 Usb Pratirodh Project | 1 Usb Pratirodh | 2024-11-21 | 2.1 LOW | 6.6 MEDIUM |
USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack. | |||||
CVE-2017-5250 | 1 Insteon | 1 Insteon For Hub | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner. | |||||
CVE-2017-5249 | 1 Wink | 1 Wink | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner. | |||||
CVE-2017-16560 | 1 Sandisk | 1 Secureaccess | 2024-11-21 | 2.1 LOW | 4.3 MEDIUM |
SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes. | |||||
CVE-2017-13909 | 1 Apple | 1 Mac Os X | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
An issue existed in the storage of sensitive tokens. This issue was addressed by placing the tokens in Keychain. This issue is fixed in macOS High Sierra 10.13. A local attacker may gain access to iCloud authentication tokens. | |||||
CVE-2017-0493 | 1 Google | 1 Android | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550. | |||||
CVE-2024-3501 | 1 Lunary | 1 Lunary | 2024-11-18 | N/A | 8.1 HIGH |
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated. |