Loading...
Loading...
8,670 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
An issue was discovered in GitLab Community and Enterprise Edition 9.0 and through 12.0.2. Users with access to issues, but not the repository were able to view the number of related merge requests on an issue. It has Incorrect Access Cont…
An issue was discovered in all versions of Bond JetSelect. Within the JetSelect Application, the web interface hides RADIUS secrets, WPA passwords, and SNMP strings from 'non administrative' users using HTML 'password field' obfuscation. B…
In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by looking at the process list when a data upload is being performed. This license can be used to upload data to a central Lynis server. Although no data can be extracted b…
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a…
Some Brother printers (such as the HL-L8360CDW v1.20) were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user who visits a specific URL.
All configuration parameters of certain Kyocera printers (such as the ECOSYS M5526cdw 2R7_2000.001.701) were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loade…
An information disclosure vulnerability exists when the Windows TCP/IP stack improperly handles IPv6 flowlabel filled in packets, aka 'Windows TCP/IP Information Disclosure Vulnerability'.
libosinfo 1.5.0 allows local users to discover credentials by listing a process, because credentials are passed to osinfo-install-script via the command line.
virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.
In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki access to make API calls for page metadata. In other words, the password hash can be retrieved even though it is not a…
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1345.
An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Information Disclosure Vulnerability'.
The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker …
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log.
TOPMeeting before version 8.8 (2019/08/19) shows attendees account and password in front end page that allows an attacker to obtain sensitive information by browsing the source code of the page.
A service which is hosted on port 3097 in HiNet GPON firmware < I040GWR190731 allows an attacker to execute a specific command to read arbitrary files. CVSS 3.0 Base score 9.3. CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).
Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.
Search Guard versions before 23.1 had an issue that for aggregations clear text values of anonymised fields were leaked.
Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to rec…
An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8. A customer user can use the search results to disclose information from their "company" tickets (with the same CustomerID), even when the CustomerDisableComp…
Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related …
In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), whi…
In Tasy EMR, Tasy WebPortal Versions 3.02.1757 and prior, there is an information exposure vulnerability which may allow a remote attacker to access system and configuration information.
An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory, aka 'Microsoft Edge based on Edge HTML Information Disclosure Vulnerability'.
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times.
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system, aka 'Windows GDI Information Disclos…
Information leak in storage in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Inappropriate implementation in JavaScript in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.
An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.
Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.
Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application.
Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Insufficient policy enforcement in autocomplete in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
An information disclosure vulnerability exists in the way Windows Error Reporting (WER) handles objects in memory, aka 'Windows Error Reporting Information Disclosure Vulnerability'.
Insufficient policy enforcement in cookies in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Insufficient policy enforcement in audio in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations, aka 'Microsoft Windows Information Disclosure Vulnerability'.
interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview.
An information disclosure vulnerability exists in Microsoft Access software when the software fails to properly handle objects in memory, aka 'Microsoft Access Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1463.
Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Co…
An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka 'Microsoft Office Information Disclosure Vulnerability'.
Using non-time-constant functions like memcmp to compare sensitive data can lead to information leakage through timing side channel issue. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon…
System Services exports services without permission protect and can lead to information exposure in Snapdragon Industrial IOT, Snapdragon Mobile in MDM9206, MDM9207C, MDM9607, Rennell, Saipan, SM8150, SM8250, SXR2130
u'Information disclosure issue occurs as in current logic as secure touch is released without clearing the display session which can result in user reading the secure input while touch is in non-secure domain as secure display is active' i…
An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'.
EchelonGraph correlates every CVE — across CWE-200 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →