Total
9480 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-32229 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | 4.3 Medium |
| A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection. | ||||
| CVE-2018-10596 | 1 Medtronic | 2 2090 Carelink Programmer, 2090 Carelink Programmer Firmware | 2025-05-22 | 7.1 High |
| Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based VPN connection to a Medtronic-hosted update network. Once the VPN is established, it makes a request to a HTTP (non-TLS) server across the VPN for updates, which responds and provides any available updates. The programmer-side (client) service responsible for this HTTP request does not check to ensure it is still connected to the VPN before making the HTTP request. Thus, an attacker could cause the VPN connection to terminate (through various methods and attack points) and intercept the HTTP request, responding with malicious updates via a man-in-the-middle attack. The affected products do not verify the origin or integrity of these updates, as it insufficiently relied on the security of the VPN. An attacker with remote network access to the programmer could influence these communications. | ||||
| CVE-2023-6757 | 1 Thecosy | 1 Icecms | 2025-05-22 | 5.3 Medium |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /adplanet/PlanetUser of the component API. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247885 was assigned to this vulnerability. | ||||
| CVE-2023-47619 | 1 Audiobookshelf | 1 Audiobookshelf | 2025-05-22 | 8.1 High |
| Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available. | ||||
| CVE-2025-27980 | 1 Oldmoon | 1 Cashbook | 2025-05-22 | 6.5 Medium |
| cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=. | ||||
| CVE-2024-45805 | 1 Citeum | 1 Opencti | 2025-05-22 | 4.3 Medium |
| OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information (SETTINGS_SUPPORT). This is due to inadequate access control for support information (http://<opencti_domain>/storage/get/support/UUID/UUID.zip), and that the UUID is available to general users using an attached query (logs query). This vulnerability is fixed in 6.3.0. | ||||
| CVE-2022-32825 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-05-22 | 5.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Big Sur 11.6.8, watchOS 8.7, tvOS 15.6, macOS Monterey 12.5. An app may be able to disclose kernel memory. | ||||
| CVE-2022-32805 | 1 Apple | 2 Mac Os X, Macos | 2025-05-22 | 5.5 Medium |
| The issue was addressed with improved handling of caches. This issue is fixed in Security Update 2022-005 Catalina, macOS Big Sur 11.6.8, macOS Monterey 12.5. An app may be able to access sensitive user information. | ||||
| CVE-2022-32220 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | 6.5 Medium |
| An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | ||||
| CVE-2022-32219 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | 4.3 Medium |
| An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated. | ||||
| CVE-2022-4343 | 1 Gitlab | 1 Gitlab | 2025-05-22 | 5 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. | ||||
| CVE-2024-38167 | 2 Microsoft, Redhat | 3 .net, Visual Studio 2022, Enterprise Linux | 2025-05-21 | 6.5 Medium |
| .NET and Visual Studio Information Disclosure Vulnerability | ||||
| CVE-2024-38200 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2025-05-21 | 6.5 Medium |
| Microsoft Office Spoofing Vulnerability | ||||
| CVE-2025-31491 | 1 Agpt | 1 Autogpt | 2025-05-21 | 8.6 High |
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests python library, located in autogpt_platform/backend/backend/util/request.py. In this wrapper, redirects are specifically NOT followed for the first request. If the wrapper is used with allow_redirects set to True (which is the default), any redirect is not followed by the initial request, but rather re-requested by the wrapper using the new location. However, there is a fundamental flaw in manually re-requesting the new location: it does not account for security-sensitive headers which should not be sent cross-origin, such as the Authorization and Proxy-Authorization header, and cookies. For example in autogpt_platform/backend/backend/blocks/github/_api.py, an Authorization header is set when retrieving data from the GitHub API. However, if GitHub suffers from an open redirect vulnerability (such as the made-up example of https://api.github.com/repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://joshua.hu/), and the script can be coerced into visiting it with the Authorization header, the GitHub credentials in the Authorization header will be leaked. This allows leaking auth headers and private cookies. This vulnerability is fixed in 0.6.1. | ||||
| CVE-2025-48064 | 2025-05-21 | 3.3 Low | ||
| GitHub Desktop is an open-source, Electron-based GitHub app designed for git development. Prior to version 3.4.20-beta3, an attacker convincing a user to view a file in a commit of their making in the history view can cause information disclosure by means of Git attempting to access a network share. This affects GitHub Desktop users on Windows that view malicious commits in the history view. macOS users are not affected. When viewing a file diff in the history view GitHub Desktop will call `git log` or `git diff` with the object id (SHA) of the commit, the name of the file, and the old name of the file if the file has been renamed. As a security precaution Git will attempt to fully resolve the old and new path via `realpath`, traversing symlinks, to ensure that the resolved paths reside within the repository working directory. This can lead to Git attempting to access a path that resides on a network share (UNC path) and in doing so Windows will attempt to perform NTLM authentication which passes information such as the computer name, the currently signed in (Windows) user name, and an NTLM hash. GitHub Desktop 3.4.20 and later fix this vulnerability. The beta channel includes the fix in 3.4.20-beta3. As a workaround to use until upgrading is possible, only browse commits in the history view that comes from trusted sources. | ||||
| CVE-2022-39031 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 5.3 Medium |
| Smart eVision has insufficient authorization for task acquisition function. An unauthorized remote attacker can exploit this vulnerability to acquire the Session IDs of other general users only. | ||||
| CVE-2022-39029 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 6.5 Medium |
| Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information. | ||||
| CVE-2022-39030 | 1 Lcnet | 1 Smart Evision | 2025-05-21 | 7.5 High |
| smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information. | ||||
| CVE-2022-3348 | 1 Tooljet | 1 Tooljet | 2025-05-21 | 4.9 Medium |
| Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim. | ||||
| CVE-2025-4901 | 1 Dlink | 2 Di-7003g, Di-7003g Firmware | 2025-05-21 | 4.3 Medium |
| A vulnerability classified as problematic was found in D-Link DI-7003GV2 24.04.18D1 R(68125). Affected by this vulnerability is the function sub_41E304 of the file /H5/state_view.data of the component HTTP Endpoint. The manipulation leads to information disclosure. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. | ||||