| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Vulnerability of unauthorized exposure of confidential information affecting Advanced IP Scanner and Advanced Port Scanner. It occurs when these applications initiate a network scan, inadvertently sending the NTLM hash of the user performing the scan. This vulnerability can be exploited by intercepting network traffic to a legitimate server or by setting up a fake server, in both local and remote scenarios. This exposure is relevant for both HTTP/HTTPS and SMB protocols. |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in OpenText Performance Center on Windows allows Retrieve Embedded Sensitive Data.This issue affects Performance Center: 12.63. |
| A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. |
| An improper authorization level has been detected in the login panel. It may lead to
unauthenticated Server Side Request Forgery and allows to perform open services
enumeration. Server makes query to provided server (Server IP/DNS field) and is
triggering connection to arbitrary address.
|
| Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading. |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Contact Form Widget.This issue affects Contact Form Widget: from n/a through 1.3.9. |
| Ericsson Catalog Manager and Ericsson Order Care APIs do not have authentication enabled by default. Authentication checks can be configured to remediate the information disclosure issue. |
| An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function. |
| Loading arbitrary external URLs through WebView components introduces malicious JS code that can steal arbitrary user tokens. |
| In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated permissions to the UI. |
| Audit records for OpenAPI requests may include sensitive information.
This could lead to unauthorized accesses and privilege escalation. |
| Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames. |
| A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Unauthenticated attackers can access exposed log files (/logs/debug/xteLog*), potentially revealing sensitive session-related information such as session IDs (sess_id) and authentication success tokens (user_check_password OK). Exploiting this flaw could allow attackers to hijack active sessions, gain unauthorized access, and escalate privileges on affected devices. |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPServeur, NicolasKulka, wpformation WPS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPS Hide Login: from n/a through 1.9.11. |
| MET ONE 3400+ instruments running software v1.0.41 can, under rare conditions, temporarily store credentials in plain text within the system. This data is not available to unauthenticated users. |
| This issue affects:
Secomea GateManager
Version 9.5 and all prior versions.
Protection Mechanism Failure vulnerability in web server of Secomea GateManager to potentially leak information to remote servers. |
| Improper input validation in the Intel(R) Server Board S2600ST Family BIOS and Firmware Update software all versions may allow a privileged user to potentially enable escalation of privilege via local access. |
| The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains an Improper Input Validation vulnerability that allows an unauthenticated remote attacker with a specially crafted HTTP request to create additional Encryption user accounts under the attacker's control. These accounts are able to send spoofed email to any users within the domains configured by the Administrator. |
| A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests. |
| EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to
possible information disclosure or escalation of privilege
and impact Confidentiality. |