Vulnerabilities (CVE)

Filtered by CWE-209
Total 291 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-7945 1 Paloaltonetworks 1 Pan-os 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769.
CVE-2010-3332 1 Microsoft 2 .net Framework, Internet Information Services 2024-11-21 6.4 MEDIUM N/A
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
CVE-2000-1191 1 Htdig Project 1 Htdig 2024-11-20 5.0 MEDIUM N/A
htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path.
CVE-2024-48896 1 Moodle 1 Moodle 2024-11-20 N/A 4.3 MEDIUM
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
CVE-2021-3986 1 Janeczku 1 Calibre-web 2024-11-19 N/A 4.3 MEDIUM
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
CVE-2023-20593 3 Amd, Debian, Xen 140 Athlon Gold 7220u, Athlon Gold 7220u Firmware, Epyc 7232p and 137 more 2024-11-19 N/A 5.5 MEDIUM
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
CVE-2024-47803 1 Jenkins 1 Jenkins 2024-11-13 N/A 4.3 MEDIUM
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
CVE-2023-40457 2024-11-12 N/A N/A
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is "evaluating support for RFC 7606 as a future feature" and believes that "customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks."
CVE-2024-52043 1 Humhub 1 Humhub 2024-11-08 N/A 5.3 MEDIUM
Generation of Error Message Containing Sensitive Information in HumHub GmbH & Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.
CVE-2024-30141 2024-11-08 N/A 4.7 MEDIUM
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.
CVE-2024-51560 1 63moons 2 Aero, Wave 2.0 2024-11-08 N/A 4.3 MEDIUM
This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information on the targeted system.
CVE-2021-47161 2024-11-06 N/A 5.5 MEDIUM
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-dspi: Fix a resource leak in an error handling path 'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the error handling path of the probe function, as already done in the remove function
CVE-2024-39458 2024-11-05 N/A 3.1 LOW
When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log.
CVE-2024-7038 1 Openwebui 1 Open Webui 2024-11-03 N/A 2.7 LOW
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.
CVE-2024-39719 2024-11-01 N/A 7.5 HIGH
An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the server.
CVE-2024-50512 2024-11-01 N/A 5.3 MEDIUM
Generation of Error Message Containing Sensitive Information vulnerability in Posti Posti Shipping allows Retrieve Embedded Sensitive Data.This issue affects Posti Shipping: from n/a through 3.10.2.
CVE-2024-37162 1 Idopesok 1 Zsa 2024-10-31 N/A 5.3 MEDIUM
zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. This has been patched on `0.3.3`.
CVE-2023-50355 1 Hcltech 1 Sametime 2024-10-31 N/A 5.3 MEDIUM
HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.
CVE-2024-45440 1 Drupal 1 Drupal 2024-10-28 N/A 5.3 MEDIUM
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
CVE-2023-25956 1 Apache 1 Apache-airflow-providers-amazon 2024-10-23 N/A 7.5 HIGH
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.