CWE-200— Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-28164MEDIUMCVSS 5.3EG 5.3

Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on I…

2024-06-11

SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.

CVE-2024-28188MEDIUMCVSS 5.3EG 5.3

2024-05-23

Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users maybe be exposed, potentially revealing information about projects that a speci…

CVE-2024-28193MEDIUMCVSS 6.5EG 6.5

2024-03-13

your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific u…

CVE-2024-28235HIGHCVSS 8.3EG 8.3

2024-04-09

Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checking for broken links on protected pages, Contao sends the cookie header to external urls as well, the passed …

CVE-2024-28236HIGHCVSS 7.7EG 7.7

CVE-2024-28238LOWCVSS 2.3EG 2.3

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secr…

CVE-2024-28242MEDIUMCVSS 5.3EG 5.3

Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various …

2024-03-15

Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version…

CVE-2024-28247HIGHCVSS 7.6EG 7.6

2024-03-27

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal se…

CVE-2024-28339MEDIUMCVSS 5.4EG 5.4

CVE-2024-28340HIGHCVSS 7.5EG 7.5

An information leak in the debuginfo.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.

CVE-2024-28442HIGHCVSS 7.5EG 7.5

An information leak in the currentsetting.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required.

CVE-2024-28849MEDIUMCVSS 6.5EG 6.5

Directory Traversal vulnerability in Yealink VP59 v.91.15.0.118 allows a physically proximate attacker to obtain sensitive information via terms of use function in the company portal component.

2024-03-14

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but ke…

CVE-2024-28963MEDIUMCVSS 6.2EG 6.2

2024-04-24

Telemetry Dashboard v1.0.0.7 for Dell ThinOS 2402 contains a sensitive information disclosure vulnerability. An unauthenticated user with local access to the device could exploit this vulnerability to read sensitive proxy settings informat…

CVE-2024-29023HIGHCVSS 7.2EG 7.2

2024-04-12

Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be ex…

CVE-2024-29036MEDIUMCVSS 4.3EG 4.3

2024-03-20

Saleor Storefront is software for building e-commerce experiences. Prior to commit 579241e75a5eb332ccf26e0bcdd54befa33f4783, when any user authenticates in the storefront, anonymous users are able to access their data. The session is leake…

CVE-2024-29197MEDIUMCVSS 6.5EG 6.5

CVE-2024-29199LOWCVSS 3.7EG 3.7

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, s…

CVE-2024-2920MEDIUMCVSS 5.3EG 5.3

Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to a…

2024-04-26

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied files to a publicly accessible directory in wp-content with…

CVE-2024-29291NONECVSS 0.0EG 0.0

2024-04-16

An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation c…

CVE-2024-2931MEDIUMCVSS 4.3EG 4.3

2024-04-02

The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it …

CVE-2024-29384HIGHCVSS 7.5EG 7.5

2024-04-30

An issue in CSS Exfil Protection v.1.1.0 allows a remote attacker to obtain sensitive information via the content.js and parseCSSRules functions.

CVE-2024-29400HIGHCVSS 7.5EG 7.5

2024-04-12

An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter.

CVE-2024-2950MEDIUMCVSS 5.3EG 5.3

2024-04-06

The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.14 via meta information (og:description) This makes it possible for unauthenticated att…

CVE-2024-2966MEDIUMCVSS 5.3EG 5.3

2024-04-11

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.5.6 via the element_p…

CVE-2024-29720MEDIUMCVSS 5.5EG 6.2

2025-12-26

An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function.

CVE-2024-2974MEDIUMCVSS 5.3EG 5.3

2024-04-09

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function.…

CVE-2024-29839HIGHCVSS 7.5EG 7.5

CVE-2024-29840HIGHCVSS 7.5EG 7.5

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value data of any user

CVE-2024-29841HIGHCVSS 7.5EG 7.5

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin value of any user

CVE-2024-29842HIGHCVSS 7.5EG 7.5

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS, allowing for an unauthenticated attacker to return the keys value of any user

CVE-2024-29843HIGHCVSS 7.5EG 7.5

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS, allowing for an unauthenticated attacker to return the abacard field of any…

CVE-2024-29883MEDIUMCVSS 4.9EG 4.9

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on MOBILE_GET_USERS_LIST, allowing for an unauthenticated attacker to enumerate all users and their access levels

CVE-2024-29885MEDIUMCVSS 4.3EG 4.3

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings on…

2024-07-17

silverstripe/reports is an API for creating backend reports in the Silverstripe Framework. In affected versions reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView(…

CVE-2024-29897MEDIUMCVSS 4.9EG 4.9

2024-03-28

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with (delete) or (suppressrevision) on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Specia…

CVE-2024-29898MEDIUMCVSS 4.9EG 4.9

2024-03-28

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to…

CVE-2024-29961HIGHCVSS 8.2EG 8.2

2024-04-19

A vulnerability affects Brocade SANnav before v2.3.1 and v2.3.0a. It allows a Brocade SANnav service to send ping commands in the background at regular intervals to gridgain.com to check if updates are available for the Component. This cou…

CVE-2024-29964MEDIUMCVSS 5.7EG 4.9

2024-04-19

Brocade SANnav versions before v2.3.0a do not correctly set permissions on files, including docker files. An unprivileged attacker who gains access to the server can read sensitive information from these files.

CVE-2024-29968HIGHCVSS 7.7EG 7.7

2024-04-19

An information disclosure vulnerability exists in Brocade SANnav before v2.3.1 and v2.3.0a when Brocade SANnav instances are configured in disaster recovery mode. SQL Table names, column names, and SQL queries are collected in DR standby S…

CVE-2024-29987MEDIUMCVSS 6.5EG 6.5

2024-04-18

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE-2024-30081HIGHCVSS 7.1EG 7.1

2024-07-09

Windows NTLM Spoofing Vulnerability

CVE-2024-30096MEDIUMCVSS 5.5EG 5.5

2024-06-11

Windows Cryptographic Services Information Disclosure Vulnerability

CVE-2024-30106LOWCVSS 3.5EG 3.5

2024-10-28

HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of r…

CVE-2024-30118LOWCVSS 3.5EG 3.5

2024-10-09

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to because of improperly handling the request data.

CVE-2024-30135LOWCVSS 3.3EG 7.5

2024-06-28

HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.

CVE-2024-30233MEDIUMCVSS 6.5EG 6.5