| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. |
| Vulnerability in the Siebel CRM End User product of Oracle Siebel CRM (component: User Interface). Supported versions that are affected are 25.0-25.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM End User. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Siebel CRM End User accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). |
| An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted. |
| Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions. |
| In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking. |
| In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tipd: Remove WARN_ON in tps6598x_block_read
Calling tps6598x_block_read with a higher than allowed len can be
handled by just returning an error. There's no need to crash systems
with panic-on-warn enabled. |
| IBM Analytics Content Hub 2.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. |
| An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. |
| An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS version 6.2.4 and below, version 6.0.10 and belowmay allow remote authenticated actors to read the SSL VPN events log entries of users in other VDOMs by executing "get vpn ssl monitor" from the CLI. The sensitive data includes usernames, user groups, and IP address. |
| An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiDDoS version 5.4.0, version 5.3.2 and below, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, version 4.6.0, version 4.5.0, version 4.4.2 and below, FortiDDoS-CM version 5.3.0, version 5.2.0, version 5.1.0, version 5.0.0, version 4.7.0, FortiVoice version 6.0.6 and below, FortiRecorder version 6.0.3 and below and FortiMail version 6.4.1 and below, version 6.2.4 and below, version 6.0.9 and below may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file. |
| An issue was discovered in the DICOM Part 10 File Format in the NEMA DICOM Standard 1995 through 2019b and continuing in current implementations. The 128-byte preamble of a DICOM file that complies with this specification can contain arbitrary executable headers for multiple operating systems, including Portable Executable (PE) files for Windows and Executable and Linkable Format (ELF) files for Linux-based systems. This space is left unspecified so that dual-purpose files can be created. For example, dual-purpose TIFF/DICOM files are used in digital whole slide imaging applications in medicine. This design flaw enables system-wide compromise as malicious DICOM files are routinely shared between medical devices and hospital systems and transported via removable media for patient care coordination. To exploit this vulnerability, someone must execute the maliciously crafted file. These files can be executable even with the .dcm file extension. Anti-malware configurations at healthcare facilities often ignore medical imagery. DICOM files exist on systems that process protected health information, and successful exploitation could result in violations of regulatory compliance requirements such as HIPAA and FDA postmarket obligations. |
| An input validation vulnerability exists in the Monitor Pro interface of MicroSCADA
Pro and MicroSCADA X SYS600. An authenticated user can launch an administrator level remote code execution irrespective of the authenticated user's role. |
| A vulnerability in the logging subsystem of Cisco Meeting Management could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.
This vulnerability is due to improper storage of sensitive information within the web-based management interface of an affected device. An attacker could exploit this vulnerability by logging in to the web-based management interface. A successful exploit could allow the attacker to view sensitive data that is stored on the affected device. |
| A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. |
| A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An attacker could exploit the vulnerability by sending a specific API request to an affected application. A successful exploit could allow the attacker to obtain sensitive information about other users who are configured with higher privileges on the application. |
| Multiple vulnerabilities in the API of Cisco DNA Center Software could allow an authenticated, remote attacker to read information from a restricted container, enumerate user information, or execute arbitrary commands in a restricted container as the root user. For more information about these vulnerabilities, see the Details section of this advisory. |
| A vulnerability in the management API of Cisco DNA Center could allow an authenticated, remote attacker to elevate privileges in the context of the web-based management interface on an affected device. This vulnerability is due to the unintended exposure of sensitive information. An attacker could exploit this vulnerability by inspecting the responses from the API. Under certain circumstances, a successful exploit could allow the attacker to access the API with the privileges of a higher-level user account. To successfully exploit this vulnerability, the attacker would need at least valid Observer credentials. |
| A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files. |
| A vulnerability in the Software Image Management feature of Cisco DNA Center could allow an authenticated, remote attacker to access to internal services without additional authentication. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending arbitrary HTTP requests to internal services. An exploit could allow the attacker to bypass any firewall or other protections to access unauthorized internal services. DNAC versions prior to 1.2.5 are affected. |
| there is a possible information disclosure due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
