Total
714 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37482 | 2025-02-11 | N/A | 5.3 MEDIUM | ||
|
The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.
|
|||||
| CVE-2023-29850 | 1 Slims | 1 Senayan Library Management System | 2025-02-06 | N/A | 7.5 HIGH |
|
SENAYAN Library Management System (SLiMS) Bulian v9.5.2 does not strip exif data from uploaded images. This allows attackers to obtain information such as the user's geolocation and device information.
|
|||||
| CVE-2022-34125 | 1 Glpi-project | 1 Cmdb | 2025-02-06 | N/A | 6.5 MEDIUM |
|
front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.
|
|||||
| CVE-2020-35165 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2025-02-06 | N/A | 5.1 MEDIUM |
|
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.
|
|||||
| CVE-2023-26557 | 1 Iofinnet | 1 Tss-lib | 2025-02-05 | N/A | 7.5 HIGH |
|
io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)
|
|||||
| CVE-2023-26556 | 1 Iofinnet | 1 Tss-lib | 2025-02-05 | N/A | 9.1 CRITICAL |
|
io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time (there is an if statement in a loop). One leak is in ecdsa/keygen/round_2.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)
|
|||||
| CVE-2025-24506 | 2025-02-05 | N/A | N/A | ||
|
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types.
|
|||||
| CVE-2023-30458 | 1 Medicine Tracker System Project | 1 Medicine Tracker System | 2025-02-04 | N/A | 5.3 MEDIUM |
|
A username enumeration issue was discovered in Medicine Tracker System 1.0. The login functionality allows a malicious user to guess a valid username due to a different response time from invalid usernames. When one enters a valid username, the response time increases depending on the length of the supplied password.
|
|||||
| CVE-2023-26560 | 1 Northern.tech | 1 Cfengine | 2025-02-04 | N/A | 6.5 MEDIUM |
|
Northern.tech CFEngine Enterprise before 3.21.1 allows a subset of authenticated users to leverage the Scheduled Reports feature to read arbitrary files and potentially discover credentials.
|
|||||
| CVE-2023-28770 | 1 Zyxel | 2 Dx5401-b0, Dx5401-b0 Firmware | 2025-01-31 | N/A | 7.5 HIGH |
|
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
|
|||||
| CVE-2024-36510 | 1 Fortinet | 2 Forticlientems, Fortisoar | 2025-01-31 | N/A | 5.3 MEDIUM |
|
An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses.
|
|||||
| CVE-2023-27931 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-01-29 | N/A | 5.5 MEDIUM |
|
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.3, tvOS 16.4, watchOS 9.4. An app may be able to access user-sensitive data.
|
|||||
| CVE-2023-28200 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-01-29 | N/A | 5.5 MEDIUM |
|
A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to disclose kernel memory.
|
|||||
| CVE-2024-26268 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-01-28 | N/A | 5.3 MEDIUM |
|
User enumeration vulnerability in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 8, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to determine if an account exist in the application by comparing the request's response time.
|
|||||
| CVE-2023-27870 | 1 Ibm | 1 Spectrum Virtualize | 2025-01-24 | N/A | 5.9 MEDIUM |
|
IBM Spectrum Virtualize 8.5, under certain circumstances, could disclose sensitive credential information while a download from Fix Central is in progress. IBM X-Force ID: 249518.
|
|||||
| CVE-2023-1696 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-21 | N/A | 7.5 HIGH |
|
The multimedia video module has a vulnerability in data processing.Successful exploitation of this vulnerability may affect availability.
|
|||||
| CVE-2023-28015 | 1 Hcl | 1 Domino Appdev Pack | 2025-01-17 | N/A | 5.3 MEDIUM |
|
The HCL Domino AppDev Pack IAM service is susceptible to a User Account Enumeration vulnerability. During a failed login attempt a difference in messages could allow an attacker to determine if the user is valid or not. The attacker could use this information to focus a brute force attack on valid users.
|
|||||
| CVE-2023-26215 | 1 Tibco | 1 Ebx Add-ons | 2025-01-16 | N/A | 7.7 HIGH |
|
The server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains a vulnerability that allows an attacker with low-privileged application access to read system files that are accessible to the web server. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.16 and below.
|
|||||
| CVE-2017-5753 | 13 Arm, Canonical, Debian and 10 more | 387 Cortex-a12, Cortex-a12 Firmware, Cortex-a15 and 384 more | 2025-01-14 | 4.7 MEDIUM | 5.6 MEDIUM |
|
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
|
|||||
| CVE-2023-24598 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | N/A | 4.3 MEDIUM |
|
OX App Suite before backend 7.10.6-rev37 has an information leak in the handling of distribution lists, e.g., partial disclosure of the private contacts of another user.
|
|||||
| CVE-2023-33741 | 2 Google, Macro-video | 2 Android, V380 Pro | 2025-01-13 | N/A | 7.5 HIGH |
|
Macrovideo v380pro v1.4.97 shares the device id and password when sharing the device.
|
|||||
| CVE-2022-24695 | 1 Bluetooth | 1 Bluetooth Core Specification | 2025-01-10 | N/A | 4.3 MEDIUM |
|
Bluetooth Classic in Bluetooth Core Specification through 5.3 does not properly conceal device information for Bluetooth transceivers in Non-Discoverable mode. By conducting an efficient over-the-air attack, an attacker can fully extract the permanent, unique Bluetooth MAC identifier, along with device capabilities and identifiers, some of which may contain identifying information about the device owner. This additionally allows the attacker to establish a connection to the target device.
|
|||||
| CVE-2023-25728 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 6.5 MEDIUM |
|
The <code>Content-Security-Policy-Report-Only</code> header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||
| CVE-2023-25741 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 6.5 MEDIUM |
|
When dragging and dropping an image cross-origin, the image's size could potentially be leaked. This behavior was shipped in 109 and caused web compatibility problems as well as this security concern, so the behavior was disabled until further review. This vulnerability affects Firefox < 110.
|
|||||
| CVE-2023-33518 | 1 Emoncms | 1 Emoncms | 2025-01-08 | N/A | 5.3 MEDIUM |
|
emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.
|
|||||
| CVE-2024-41952 | 1 Zitadel | 1 Zitadel | 2025-01-08 | N/A | 5.3 MEDIUM |
|
Zitadel is an open source identity management system. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an ...
Show More |
|||||
| CVE-2024-26221 | 1 Microsoft | 4 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 1 more | 2025-01-08 | N/A | 7.2 HIGH |
|
Windows DNS Server Remote Code Execution Vulnerability
|
|||||
| CVE-2023-38362 | 1 Ibm | 1 Cics Tx | 2025-01-07 | N/A | 5.3 MEDIUM |
|
IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814.
|
|||||
| CVE-2023-27283 | 1 Ibm | 1 Aspera Orchestrator | 2025-01-07 | N/A | 5.3 MEDIUM |
|
IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545.
|
|||||
| CVE-2021-20556 | 1 Ibm | 1 Cognos Controller | 2025-01-07 | N/A | 5.3 MEDIUM |
|
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 could allow a remote user to enumerate usernames due to differentiating error messages on existing usernames. IBM X-Force ID: 199181.
|
|||||
| CVE-2022-48730 | 1 Linux | 1 Linux Kernel | 2025-01-06 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
dma-buf: heaps: Fix potential spectre v1 gadget
It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.
[sumits: added fixes and cc: stable tags]
|
|||||
| CVE-2023-1707 | 1 Hp | 317 Color Laserjet Enterprise 5700 49k98a, Color Laserjet Enterprise 5700 6qn28a, Color Laserjet Enterprise 6700 49l00a and 314 more | 2025-01-03 | N/A | 7.5 HIGH |
|
Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to information disclosure when IPsec is enabled with FutureSmart version 5.6.
|
|||||
| CVE-2023-34878 | 1 Ujcms | 1 Ujcms | 2025-01-02 | N/A | 7.5 HIGH |
|
An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip.
|
|||||
| CVE-2024-54454 | 2024-12-31 | N/A | 5.3 MEDIUM | ||
|
An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames.
|
|||||
| CVE-2024-12663 | 2024-12-16 | 2.6 LOW | 3.7 LOW | ||
|
A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-27839 | 1 Apple | 2 Ipados, Iphone Os | 2024-12-09 | N/A | 3.3 LOW |
|
A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location.
|
|||||
| CVE-2022-42792 | 1 Apple | 2 Ipados, Iphone Os | 2024-12-06 | N/A | 5.5 MEDIUM |
|
This issue was addressed with improved data protection. This issue is fixed in iOS 16.1 and iPadOS 16. An app may be able to read sensitive location information
|
|||||
| CVE-2024-54002 | 2024-12-04 | N/A | 5.3 MEDIUM | ||
|
Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are ...
Show More |
|||||
| CVE-2020-11063 | 1 Typo3 | 1 Typo3 | 2024-12-03 | 4.3 MEDIUM | 3.7 LOW |
|
In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.
|
|||||
| CVE-2023-20575 | 1 Amd | 176 Epyc 5552, Epyc 5552 Firmware, Epyc 7232p and 173 more | 2024-11-27 | N/A | 6.5 MEDIUM |
|
A potential power side-channel vulnerability in some AMD processors may allow an authenticated attacker to use the power reporting functionality to monitor a program’s execution inside an AMD SEV VM potentially resulting in a leak of sensitive information.
|
|||||