Total
8382 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34754 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Contact Form Widget.This issue affects Contact Form Widget: from n/a through 1.3.9. | |||||
| CVE-2024-34696 | 1 Geoserver | 1 Geoserver | 2024-11-21 | N/A | 4.5 MEDIUM |
| GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured. The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly. Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice. | |||||
| CVE-2024-34684 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | N/A | 3.7 LOW |
| On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files. | |||||
| CVE-2024-34556 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. | |||||
| CVE-2024-34549 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Automattic WP Job Manager.This issue affects WP Job Manager: from n/a through 2.2.2. | |||||
| CVE-2024-34388 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Scribit GDPR Compliance.This issue affects GDPR Compliance: from n/a through 1.2.5. | |||||
| CVE-2024-34382 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in RoboSoft Robo Gallery.This issue affects Robo Gallery: from n/a through 3.2.18. | |||||
| CVE-2024-34368 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mooberry Dreams Mooberry Book Manager.This issue affects Mooberry Book Manager: from n/a through 4.15.12. | |||||
| CVE-2024-33881 | 2 Microsoft, Virtosoftware | 2 Sharepoint Server, Sharepoint Bulk File Download | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter. | |||||
| CVE-2024-33753 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Section Camera V2.5.5.3116-S50-SMA-B20160811 and earlier versions allow the accounts and passwords of administrators and users to be changed without authorization. | |||||
| CVE-2024-33626 | 1 Level1 | 2 Wbr-6012, Wbr-6012 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| The LevelOne WBR-6012 router contains a vulnerability within its web application that allows unauthenticated disclosure of sensitive information, such as the WiFi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's WiFi network. | |||||
| CVE-2024-33603 | 1 Level1 | 2 Wbr-6012, Wbr-6012 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP address for authentication. | |||||
| CVE-2024-33575 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0. | |||||
| CVE-2024-33538 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Fastline Media LLC Assistant – Every Day Productivity Apps.This issue affects Assistant – Every Day Productivity Apps: from n/a through 1.4.9.1. | |||||
| CVE-2024-33309 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository. | |||||
| CVE-2024-32816 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid.This issue affects Post Grid: from n/a through 2.2.78. | |||||
| CVE-2024-32781 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeHigh Email Customizer for WooCommerce.This issue affects Email Customizer for WooCommerce: from n/a through 2.6.0. | |||||
| CVE-2024-32780 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in E4J s.R.L. VikRentCar.This issue affects VikRentCar: from n/a through 1.3.2. | |||||
| CVE-2024-32754 | 2024-11-21 | N/A | 3.1 LOW | ||
| Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information. | |||||
| CVE-2024-32726 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in vinoth06. Frontend Dashboard.This issue affects Frontend Dashboard: from n/a through 2.2.2. | |||||