Vulnerabilities (CVE)

Filtered by CWE-200
Total 9181 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-54786 1 Salesagility 1 Suitecrm 2025-08-14 N/A 5.3 MEDIUM
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.
CVE-2025-50154 1 Microsoft 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more 2025-08-14 N/A 7.5 HIGH
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-43988 2025-08-14 N/A 7.5 HIGH
KuWFi 5G01-X55 FL2020_V0.0.12 devices expose an unauthenticated API endpoint (ajax_get.cgi), allowing remote attackers to retrieve sensitive configuration data, including admin credentials.
CVE-2025-9036 2025-08-14 N/A N/A
A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.
CVE-2025-55673 2025-08-14 N/A N/A
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue.
CVE-2025-43986 2025-08-14 N/A 9.8 CRITICAL
An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. The TELNET service is enabled by default and exposed over the WAN interface without authentication.
CVE-2025-55165 2025-08-13 N/A 8.2 HIGH
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3.
CVE-2025-3831 2025-08-13 N/A 8.1 HIGH
Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties.
CVE-2025-53134 2025-08-13 N/A 7.0 HIGH
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2025-27707 2025-08-13 N/A 2.6 LOW
Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2025-33051 2025-08-13 N/A 7.5 HIGH
Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.
CVE-2025-53136 2025-08-13 N/A 5.5 MEDIUM
Exposure of sensitive information to an unauthorized actor in Windows NT OS Kernel allows an authorized attacker to disclose information locally.
CVE-2025-53156 2025-08-13 N/A 5.5 MEDIUM
Exposure of sensitive information to an unauthorized actor in Storage Port Driver allows an authorized attacker to disclose information locally.
CVE-2025-53781 2025-08-13 N/A 7.7 HIGH
Exposure of sensitive information to an unauthorized actor in Azure Virtual Machines allows an authorized attacker to disclose information over a network.
CVE-2025-53728 2025-08-13 N/A 6.5 MEDIUM
Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network.
CVE-2024-7128 2025-08-13 N/A 5.3 MEDIUM
A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler() and authHandlerWithUser() middleware functions. When the default authentication provider ("openShiftAuth") is set, these functions do not perform any authentication checks, relying instead on the targeted service to handle authentication and authorization. This issue leads to various degrees of data exposure due to a lack of proper credential verification.
CVE-2024-23962 1 Alpsalpine 2 Ilx-f509, Ilx-f509 Firmware 2025-08-12 N/A 5.3 MEDIUM
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DLT interface, which listens on TCP port 3490 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device.
CVE-2025-8620 1 Givewp 1 Givewp 2025-08-12 N/A 5.3 MEDIUM
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.
CVE-2025-54615 1 Huawei 1 Harmonyos 2025-08-12 N/A 6.2 MEDIUM
Vulnerability of insufficient information protection in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-4390 2025-08-12 N/A 5.3 MEDIUM
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.