Total
9716 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-29987 | 1 Microsoft | 1 Edge Chromium | 2025-05-03 | 6.5 Medium |
| Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | ||||
| CVE-2022-37930 | 1 Hpe | 18 Hf20, Hf20 Firmware, Hf20c and 15 more | 2025-05-02 | 6.7 Medium |
| A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays and HPE Nimble Storage Secondary Flash Arrays which could potentially allow local disclosure of sensitive information. | ||||
| CVE-2022-37909 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-05-02 | 5.3 Medium |
| Aruba has identified certain configurations of ArubaOS that can lead to sensitive information disclosure from the configured ESSIDs. The scenarios in which disclosure of potentially sensitive information can occur are complex, and depend on factors beyond the control of attackers. | ||||
| CVE-2022-38654 | 1 Hcltech | 1 Domino | 2025-05-02 | 5.5 Medium |
| HCL Domino is susceptible to an information disclosure vulnerability. In some scenarios, local calls made on the server to search the Domino directory will ignore xACL read restrictions. An authenticated attacker could leverage this vulnerability to access attributes from a user's person record. | ||||
| CVE-2022-39018 | 1 M-files | 1 Hubshare | 2025-05-02 | 8.2 High |
| Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. | ||||
| CVE-2025-2880 | 2025-05-02 | 5.3 Medium | ||
| The Yame | Link In Bio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.9.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file. | ||||
| CVE-2025-23203 | 2025-05-02 | 5.5 Medium | ||
| Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.3 and 1.11.3 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required (plus api access with regard to the api endpoints). And even though some of these Icinga Director users are restricted from accessing certain objects, are able to retrieve information related to them if their name is known. This makes it possible to change the configuration of these objects by those Icinga Director users restricted from accessing them. This results in further exploitation, data breaches and sensitive information disclosure. Affected endpoints include icingaweb2/director/service, if the host name is left out of the query; icingaweb2/directore/notification; icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime. In addition, the endpoint `icingaweb2/director/services?host=filteredHostName` returns a status code 200 even though the services for the host is filtered. This in turn lets the restricted user know that the host `filteredHostName` exists even though the user is restricted from accessing it. This could again result in further exploitation of this information and data breaches. Icinga Director has patches in versions 1.10.3 and 1.11.1. If upgrading is not feasible, disable the director module for the users other than admin role for the time being. | ||||
| CVE-2025-46552 | 2025-05-02 | N/A | ||
| KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2. | ||||
| CVE-2024-42019 | 1 Veeam | 1 One | 2025-05-01 | 8.0 High |
| A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication. | ||||
| CVE-2024-34004 | 1 Moodle | 1 Moodle | 2025-05-01 | 6.5 Medium |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-34005 | 1 Moodle | 1 Moodle | 2025-05-01 | 6.5 Medium |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-34003 | 1 Moodle | 1 Moodle | 2025-05-01 | 5.9 Medium |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2024-34002 | 1 Moodle | 1 Moodle | 2025-05-01 | 6.5 Medium |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||||
| CVE-2022-30556 | 4 Apache, Fedoraproject, Netapp and 1 more | 5 Http Server, Fedora, Clustered Data Ontap and 2 more | 2025-05-01 | 7.5 High |
| Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. | ||||
| CVE-2022-27949 | 1 Apache | 1 Airflow | 2025-04-30 | 7.5 High |
| A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1. | ||||
| CVE-2022-34312 | 1 Ibm | 1 Cics Tx | 2025-04-30 | 4 Medium |
| IBM CICS TX 11.1 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 229447. | ||||
| CVE-2024-26470 | 1 Fullstackhero | 1 .net 9 Starter Kit | 2025-04-30 | 8.1 High |
| A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request. | ||||
| CVE-2025-24270 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-04-30 | 5.7 Medium |
| This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to leak sensitive user information. | ||||
| CVE-2022-42132 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-04-30 | 5.9 Medium |
| The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. | ||||
| CVE-2022-34314 | 1 Ibm | 1 Cics Tx | 2025-04-30 | 4 Medium |
| IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings. IBM X-Force ID: 229450. | ||||