Token Disclosure

@nuxtlabs/github-module is vulnerable to Token Disclosure. The vulnerability exists in the module.ts because it uses hard-coded credentials in the config file, which allows an attacker to gain sensitive information through the token in the public runtime config...

Fedora 38 : polkit (2023-41bdb7dba8)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-41bdb7dba8 advisory. config file permission change to increase security of polkitd Tenable has extracted the preceding description block directly from the Fedora security advisor...

CVE-2023-30527

The CVE-2023-30527 entry concerns Jenkins WSO2 Oauth Plugin versions 1.0 and earlier. The vulnerability is that the WSO2 Oauth client secret is stored unencrypted in the Jenkins controller’s global config.xml, making it viewable by users who have access to the Jenkins controller filesystem. The i...

Jenkins Plugin WSO2 Oauth 安全漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...

Amazon Linux 2023 : dbus-broker (ALAS2023-2023-080)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-080 advisory. An issue was discovered in dbus-broker before 31. It depends on c-uitl/c-shquote to parse the DBus service's Exec line. c-shquote contains a stack-based buffer over-read if a malicious Exec lin...

PT-2023-2252 · Unknown · Nginx Proxy Manager

Name of the Vulnerable Software and Affected Versions: NginxProxyManager version 2.9.19 Description: An issue in NginxProxyManager allows an attacker to execute arbitrary code via a lua script to the configuration file. The vulnerability is related to the lack of data sanitization at the manageme...

PT-2023-16644 · Seacms · Seacms

Name of the Vulnerable Software and Affected Versions: SeaCMS version 11.6 Description: A problematic issue was found in the Picture Management component, specifically affecting some unknown functionality of the file /data/config.ftp.php. This issue leads to deserialization and can be exploited...

SUSE CVE-2006-2427

freshclam in 1 Clam Antivirus ClamAV 0.88 and 2 ClamXav 1.0.3h and earlier does not drop privileges before processing the config-file command line option, which allows local users to read portions of arbitrary files when an error message displays the first line of the target file...

SUSE CVE-2011-4782

Cross-site scripting XSS vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter...

SUSE CVE-2012-1902

showconfigerrors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file...

SUSE CVE-2013-1090

The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect ownership for certain configuration files and directories including /etc/apache2/vhosts.d, which allows local wwwrun users to gain privileges via unspecified vectors...

SUSE CVE-2013-2119

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service prevent application start or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem...

SUSE CVE-2016-6794

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for...

SUSE CVE-2017-12778

The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value of the config file at the C:\Users\Roaming\qBittorrent pathname. The attacker must change the...

SUSE CVE-2017-1000104

The Config File Provider Plugin is used to centrally manage configuration files that often include secrets, such as passwords. Users with only Overall/Read access to Jenkins were able to access URLs directly that allowed viewing these files. Access to view these files now requires sufficient...

SUSE CVE-2019-3700

yast2-security didn't use secure defaults to protect passwords. This became a problem on 2019-10-07 when configuration files that set secure settings were moved to a different location. As of the 20191022 snapshot the insecure default settings were used until yast2-security switched to stronger...

SUSE CVE-2019-3800

CF CLI version prior to v6.45.0 bosh release version 1.16.0 writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the...

SUSE CVE-2019-16542

Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...

SUSE CVE-2021-32802

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several...

SUSE CVE-2022-31213

An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file...