Total
117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8429 | 2024-12-17 | N/A | 4.3 MEDIUM | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.This issue affects WiFiBurada: before 1.0.5. | |||||
| CVE-2024-28173 | 1 Jetbrains | 1 Teamcity | 2024-12-16 | N/A | 4.3 MEDIUM |
| In JetBrains TeamCity between 2023.11 and 2023.11.4 custom build parameters of the "password" type could be disclosed | |||||
| CVE-2024-54309 | 2024-12-13 | N/A | 6.5 MEDIUM | ||
| Insertion of Sensitive Information Into Sent Data vulnerability in wpdebuglog PostBox allows Retrieve Embedded Sensitive Data.This issue affects PostBox: from n/a through 1.0.4. | |||||
| CVE-2024-25150 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-10 | N/A | 4.3 MEDIUM |
| Information disclosure vulnerability in the Control Panel in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions allows remote authenticated users to obtain a user's full name from the page's title by enumerating user screen names. | |||||
| CVE-2023-34968 | 4 Debian, Fedoraproject, Redhat and 1 more | 5 Debian Linux, Fedora, Enterprise Linux and 2 more | 2024-12-06 | N/A | 5.3 MEDIUM |
| A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path. | |||||
| CVE-2024-38372 | 2024-11-21 | N/A | 2.0 LOW | ||
| Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. | |||||
| CVE-2024-37881 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| SiteGuard WP Plugin provides a functionality to customize the path to the login page wp-login.php and implements a measure to avoid redirection from other URLs. However, SiteGuard WP Plugin versions prior to 1.7.7 missed to implement a measure to avoid redirection from wp-register.php. As a result, the customized path to the login page may be exposed. | |||||
| CVE-2024-35189 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-6916 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Audit records for OpenAPI requests may include sensitive information. This could lead to unauthorized accesses and privilege escalation. | |||||
| CVE-2023-5831 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.7 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors. | |||||
| CVE-2023-4378 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. | |||||
| CVE-2023-4002 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies. | |||||
| CVE-2023-49261 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| The "tokenKey" value used in user authorization is visible in the HTML source of the login page. | |||||
| CVE-2023-3949 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members. | |||||
| CVE-2023-3413 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members. | |||||
| CVE-2023-3399 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 8.5 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting from 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates. | |||||
| CVE-2023-3299 | 1 Hashicorp | 1 Nomad | 2024-11-21 | N/A | 3.4 LOW |
| HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11. | |||||
| CVE-2023-3102 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
| A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issue and MR. | |||||
| CVE-2023-2620 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838. | |||||
| CVE-2023-28117 | 1 Sentry | 1 Sentry Software Development Kit | 2024-11-21 | N/A | 7.6 HIGH |
| Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. | |||||