Total
669 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32691 | 1 Go Simple Tunnel Project | 1 Go Simple Tunnel | 2025-01-10 | 5.9 Medium |
| gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as `crypto/subtle`'s `ConstantTimeCompare`. | ||||
| CVE-2022-24695 | 1 Bluetooth | 1 Bluetooth Core Specification | 2025-01-10 | 4.3 Medium |
| Bluetooth Classic in Bluetooth Core Specification through 5.3 does not properly conceal device information for Bluetooth transceivers in Non-Discoverable mode. By conducting an efficient over-the-air attack, an attacker can fully extract the permanent, unique Bluetooth MAC identifier, along with device capabilities and identifiers, some of which may contain identifying information about the device owner. This additionally allows the attacker to establish a connection to the target device. | ||||
| CVE-2023-25728 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-10 | 6.5 Medium |
| The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | ||||
| CVE-2023-32342 | 1 Ibm | 1 Http Server | 2025-01-09 | 7.5 High |
| IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828. | ||||
| CVE-2023-25741 | 1 Mozilla | 1 Firefox | 2025-01-09 | 6.5 Medium |
| When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox < 110. | ||||
| CVE-2024-13198 | 2025-01-09 | 3.7 Low | ||
| A vulnerability classified as problematic has been found in langhsu Mblog Blog System 3.5.0. Affected is an unknown function of the file /login. The manipulation leads to observable response discrepancy. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-33518 | 1 Emoncms | 1 Emoncms | 2025-01-08 | 5.3 Medium |
| emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request. | ||||
| CVE-2024-41952 | 1 Zitadel | 1 Zitadel | 2025-01-08 | 5.3 Medium |
| Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. This vulnerability is fixed in 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, and 2.53.9. | ||||
| CVE-2023-38362 | 1 Ibm | 1 Cics Tx | 2025-01-07 | 5.3 Medium |
| IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814. | ||||
| CVE-2023-27283 | 1 Ibm | 1 Aspera Orchestrator | 2025-01-07 | 5.3 Medium |
| IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545. | ||||
| CVE-2021-20556 | 1 Ibm | 1 Cognos Controller | 2025-01-07 | 5.3 Medium |
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181. | ||||
| CVE-2022-48730 | 1 Linux | 1 Linux Kernel | 2025-01-06 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. [sumits: added fixes and cc: stable tags] | ||||
| CVE-2023-34344 | 1 Ami | 1 Megarac Sp-x | 2025-01-03 | 5.3 Medium |
| AMI BMC contains a vulnerability in the IPMI handler, where an unauthorized attacker can use certain oracles to guess a valid username, which may lead to information disclosure. | ||||
| CVE-2023-1707 | 1 Hp | 317 Color Laserjet Enterprise 5700 49k98a, Color Laserjet Enterprise 5700 6qn28a, Color Laserjet Enterprise 6700 49l00a and 314 more | 2025-01-03 | 7.5 High |
| Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to information disclosure when IPsec is enabled with FutureSmart version 5.6. | ||||
| CVE-2023-34878 | 1 Ujcms | 1 Ujcms | 2025-01-02 | 7.5 High |
| An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip. | ||||
| CVE-2022-34704 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2025-01-02 | 4.7 Medium |
| Windows Defender Credential Guard Information Disclosure Vulnerability | ||||
| CVE-2024-54454 | 2024-12-31 | 5.3 Medium | ||
| An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames. | ||||
| CVE-2024-13028 | 2024-12-30 | 3.7 Low | ||
| A vulnerability, which was classified as problematic, has been found in Antabot White-Jotter up to 0.2.2. This issue affects some unknown processing of the file /login. The manipulation of the argument username leads to observable response discrepancy. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-47155 | 2024-12-27 | 5.5 Medium | ||
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | ||||
| CVE-2024-47154 | 2024-12-27 | 5.5 Medium | ||
| Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak. | ||||