Total
8067 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12140 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| The Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render function due to insufficient restrictions on which templates can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft templates that they should not have access to. | |||||
| CVE-2024-11290 | 2025-01-07 | N/A | 5.3 MEDIUM | ||
| The Member Access plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | |||||
| CVE-2024-12538 | 2025-01-07 | N/A | 4.3 MEDIUM | ||
| The Duplicate Post, Page and Any Custom Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.3 via the 'dpp_duplicate_as_draft' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. | |||||
| CVE-2025-21620 | 2025-01-06 | N/A | 7.5 HIGH | ||
| Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. | |||||
| CVE-2024-52517 | 1 Nextcloud | 1 Nextcloud Server | 2025-01-06 | N/A | 4.6 MEDIUM |
| Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1. | |||||
| CVE-2025-21615 | 2025-01-06 | N/A | 5.5 MEDIUM | ||
| AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device. | |||||
| CVE-2025-0227 | 2025-01-05 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0226 | 2025-01-05 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0224 | 2025-01-05 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-13042 | 2025-01-04 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Tsinghua Unigroup Electronic Archives Management System 3.2.210802(62532). It has been classified as problematic. Affected is the function download of the file /Searchnew/Subject/download.html. The manipulation of the argument path leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-39896 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 7.5 HIGH |
| Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0. | |||||
| CVE-2024-34708 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 4.9 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0. | |||||
| CVE-2024-28238 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 2.3 LOW |
| Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-27296 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 5.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer. | |||||
| CVE-2024-13110 | 2025-01-02 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-47923 | 2024-12-30 | N/A | 5.3 MEDIUM | ||
| Mashov – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-47922 | 2024-12-30 | N/A | 7.5 HIGH | ||
| Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-56509 | 2024-12-27 | N/A | 8.6 HIGH | ||
| changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur when user input is used to construct file paths without adequate sanitization or validation. For example, using file:../../../etc/passwd or file: ///etc/passwd can bypass weak validations and allow unauthorized access to sensitive files. Even though this has been addressed in previous patch, it is still insufficient. This vulnerability is fixed in 0.48.05. | |||||
| CVE-2024-26177 | 1 Microsoft | 7 Windows 10 1507, Windows 10 1607, Windows 11 23h2 and 4 more | 2024-12-27 | N/A | 5.5 MEDIUM |
| Windows Kernel Information Disclosure Vulnerability | |||||
| CVE-2024-12984 | 2024-12-27 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic has been found in Amcrest IP2M-841B, IP2M-841W, IPC-IP2M-841B, IPC-IP3M-943B, IPC-IP3M-943S, IPC-IP3M-HX2B and IPC-IPM-721S up to 20241211. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||