Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-10399 | 1 Sendio | 1 Sendio | 2025-04-20 | N/A |
| Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted URL. | ||||
| CVE-2017-9947 | 1 Siemens | 8 Apogee Pxc, Apogee Pxc Firmware, Apogee Pxc Modular and 5 more | 2025-04-20 | 5.3 Medium |
| A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices. | ||||
| CVE-2025-31558 | 2025-04-07 | 5.8 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through 0.4.4. | ||||
| CVE-2025-31421 | 2025-04-07 | 5.8 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through 3.2.0. | ||||
| CVE-2025-31550 | 2025-04-02 | 5.8 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS allows Retrieve Embedded Sensitive Data. This issue affects WP-LESS: from 1.9.3 through 3. | ||||
| CVE-2025-25586 | 1 R1bbit | 1 Yimioa | 2025-04-01 | 4.2 Medium |
| yimioa before v2024.07.04 was discovered to contain an information disclosure vulnerability via the component /resources/application.yml. | ||||
| CVE-2022-26329 | 1 Netiq | 1 Identity Manager | 2025-04-01 | 1.8 Low |
| File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus NetIQ Identity Manager NetIQ Identity Manager versions prior to 4.8.5 on ALL. | ||||
| CVE-2025-27017 | 2025-03-12 | N/A | ||
| Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records. | ||||
| CVE-2022-23508 | 1 Weave | 1 Weave Gitops | 2025-03-10 | 8.9 High |
| Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. Its endpoint had no security controls to block unauthorized access, therefore allowing local users (and processes) on the same machine to see and alter the bucket content. By leveraging this vulnerability, an attacker could pick a workload of their choosing and inject it into the S3 bucket, which resulted in the successful deployment in the target cluster, without the need to provide any credentials to either the S3 bucket nor the target Kubernetes cluster. There are no known workarounds for this issue, please upgrade. This vulnerability has been fixed by commits 75268c4 and 966823b. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. ### Workarounds There is no workaround for this vulnerability. ### References Disclosed by Paulo Gomes, Senior Software Engineer, Weaveworks. ### For more information If you have any questions or comments about this advisory: - Open an issue in [Weave GitOps repository](https://github.com/weaveworks/weave-gitops) - Email us at [support@weave.works](mailto:support@weave.works) | ||||
| CVE-2025-27150 | 2025-03-04 | 5.3 Medium | ||
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. The password to connect the Redis instance is not purged from the archive generated with tuleap collect-system-data. These archives are likely to be used by support teams that should not have access to this password. The vulnerability is fixed in Tuleap Community Edition 16.4.99.1740492866 and Tuleap Enterprise Edition 16.4-6 and 16.3-11. | ||||
| CVE-2023-38558 | 1 Siemens | 1 Simatic Pcs Neo | 2025-02-27 | 5.5 Medium |
| A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems. | ||||
| CVE-2023-28444 | 1 Angular-server-side-configuration Project | 1 Angular-server-side-configuration | 2025-02-24 | 9.9 Critical |
| angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. This vulnerability has been mitigated in version 15.1.0, by adding an option `searchPattern` which restricts the detection file range by default. As a workaround, manually edit or create ngssc.json or run script after ngssc.json generation. | ||||
| CVE-2025-22633 | 2025-02-24 | 5.8 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Matt Cromwell Give – Divi Donation Modules allows Retrieve Embedded Sensitive Data. This issue affects Give – Divi Donation Modules: from n/a through 2.0.0. | ||||
| CVE-2024-21501 | 2 Apostrophecms, Redhat | 4 Sanitize-html, Acm, Multicluster Engine and 1 more | 2025-02-13 | 5.3 Medium |
| Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. | ||||
| CVE-2024-31954 | 1 Samsung | 1 Samsung Portable Ssd T5 Software For Windows | 2025-02-13 | 7.3 High |
| An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (An attacker must already have user privileges) | ||||
| CVE-2025-24689 | 2025-02-12 | 5.9 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue affects Import and export users and customers: from n/a through 1.27.12. | ||||
| CVE-2022-43933 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | 4.4 Medium |
| An information exposure through log file vulnerability exists in Brocade SANnav before Brocade SANnav 2.2.2, where configuration secrets are logged in supportsave. Supportsave file is generated by an admin user troubleshooting the switch. The Logged information may include usernames and passwords, and secret keys. | ||||
| CVE-2025-22773 | 2025-01-15 | 5.3 Medium | ||
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WPChill Htaccess File Editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Htaccess File Editor: from n/a through 1.0.19. | ||||
| CVE-2024-6880 | 2025-01-10 | N/A | ||
| During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms. Publicly available source code of "/registered.php" discloses that path, allowing an attacker to attempt further attacks. This issue affects MegaBIP software versions below 5.15 | ||||
| CVE-2025-0194 | 1 Gitlab | 1 Gitlab | 2025-01-09 | 6.5 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions, access tokens may have been logged when API requests were made in a specific manner. | ||||