27 matches found
CVE-2021-39342 Credova_Financial <= 1.4.8 Sensitive Information Disclosure
The CredovaFinancial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8...
CVE-2021-40862
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1...
Design/Logic Flaw
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules...
Web-Stat < 1.4.1 - API Key Disclosure
When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount. This request contained sensitive information such as the site’s “wtswebstatuid” which was sent in the...
CVE-2016-11066
An issue was discovered in Mattermost Server before 3.2.0. The initialload API disclosed unnecessary personal information...
CVE-2019-6178
An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled. This does not allow read, write, delete, or any other access to the underlying file systems and their...
Kubernetes info API access
A remote, unauthenticated attacker is able to access read only API on port 10255 http This API gives access to data of varying sensitivity %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include'compat.inc'; if description scriptid110767; scriptversion"1.5";...