Vulnerabilities (CVE)

Filtered by CWE-201
Total 143 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-3413 1 Gitlab 1 Gitlab 2024-11-21 N/A 6.5 MEDIUM
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
CVE-2023-3399 1 Gitlab 1 Gitlab 2024-11-21 N/A 8.5 HIGH
An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates.
CVE-2023-3299 1 Hashicorp 1 Nomad 2024-11-21 N/A 3.4 LOW
HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.
CVE-2023-3102 1 Gitlab 1 Gitlab 2024-11-21 N/A 5.3 MEDIUM
A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issue and MR.
CVE-2023-32275 1 Softether 1 Vpn 2024-11-21 N/A 5.5 MEDIUM
An information disclosure vulnerability exists in the CtEnumCa() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.
CVE-2023-2620 1 Gitlab 1 Gitlab 2024-11-21 N/A 5.5 MEDIUM
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838.
CVE-2023-28117 1 Sentry 1 Sentry Software Development Kit 2024-11-21 N/A 7.6 HIGH
Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.
CVE-2023-1975 1 Answer 1 Answer 2024-11-21 N/A 6.5 MEDIUM
Insertion of Sensitive Information Into Sent Data in GitHub repository answerdev/answer prior to 1.0.8.
CVE-2022-27671 1 Sap 1 Businessobjects Business Intelligence Platform 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
A CSRF token visible in the URL may possibly lead to information disclosure vulnerability.
CVE-2021-32653 1 Nextcloud 1 Nextcloud Server 2024-11-21 4.0 MEDIUM 2.7 LOW
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
CVE-2021-1129 1 Cisco 3 Content Security Management Appliance, Email Security Appliance, Web Security Appliance 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the authentication for the general purpose APIs implementation of Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to access general system information and certain configuration information from an affected device. The vulnerability exists because a secure authentication token is not required when authenticating to the general purpose API. An attacker could exploit this vulnerability by sending a crafted request for information to the general purpose API on an affected device. A successful exploit could allow the attacker to obtain system and configuration information from the affected device, resulting in an unauthorized information disclosure.
CVE-2021-1128 1 Cisco 1 Ios Xr 2024-11-21 2.1 LOW 5.5 MEDIUM
A vulnerability in the CLI parser of Cisco IOS XR Software could allow an authenticated, local attacker to view more information than their privileges allow. The vulnerability is due to insufficient application of restrictions during the execution of a specific command. An attacker could exploit this vulnerability by using a specific command at the command line. A successful exploit could allow the attacker to obtain sensitive information within the configuration that otherwise might not have been accessible beyond the privileges of the invoking user.
CVE-2020-27748 1 Freedesktop 1 Xdg-utils 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.
CVE-2020-14514 1 Nmfc 1 Power Line Communications 2024-11-21 3.3 LOW 4.3 MEDIUM
All trailer Power Line Communications are affected. PLC bus traffic can be sniffed reliably via an active antenna up to 6 feet away. Further distances are also possible, subject to environmental conditions and receiver improvements.
CVE-2024-49235 2024-10-18 N/A 7.5 HIGH
Insertion of Sensitive Information Into Sent Data vulnerability in VideoWhisper.Com Contact Forms, Live Support, CRM, Video Messages allows Retrieve Embedded Sensitive Data.This issue affects Contact Forms, Live Support, CRM, Video Messages: from n/a through 1.10.2.
CVE-2024-47128 1 Gotenna 1 Gotenna Pro 2024-10-17 N/A 4.3 MEDIUM
The goTenna Pro App encryption key name is always sent unencrypted when the key is shared over RF through a broadcast message. It is advised to share the encryption key via local QR for higher security operations.
CVE-2024-43814 1 Gotenna 1 Gotenna 2024-10-17 N/A 4.3 MEDIUM
The goTenna Pro ATAK Plugin's default settings are to share Automatic Position, Location, and Information (PLI) updates every 60 seconds once the plugin is active and goTenna is connected. Users that are unaware of their settings and have not activated encryption before a mission may accidentally broadcast their location unencrypted. It is advised to verify PLI settings are the desired rate and activate encryption prior to mission. Update to the latest Plugin to disable this default setting.
CVE-2024-41931 1 Gotenna 1 Gotenna 2024-10-17 N/A 4.3 MEDIUM
The goTenna Pro ATAK Plugin encryption key name is always sent unencrypted when the key is sent over RF through a broadcast message. It is advised to share the encryption key via local QR for higher security operations.
CVE-2024-6747 1 Checkmk 1 Checkmk 2024-10-15 N/A 7.5 HIGH
Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.0p36, 2.1.0p49 and in 2.0.0p39 (EOL) allows attacker to get potentially sensitive data
CVE-2024-8890 1 Circutor 2 Q-smt, Q-smt Firmware 2024-10-01 N/A 8.8 HIGH
An attacker with access to the network where the CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could obtain legitimate credentials or steal sessions due to the fact that the device only implements the HTTP protocol. This fact prevents a secure communication channel from being established.