Linux Distros Unpatched Vulnerability : CVE-2021-39211

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server...

Linux Distros Unpatched Vulnerability : CVE-2018-12227

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before...

CVE-2025-48045

CVE-2025-48045 is an unauthenticated risk in the NetFax Server family where an HTTP GET to /client.php discloses the default administrator credentials. The entry carries CVSS v4.0 base metrics (AV:N/AC:L/PR:N/UI:N/SI:N/VI:N/VA:N; Confidentiality High). Red Hat and NVD records corroborate the exac...

CVE-2024-9802 Conformance validation endpoint discloses detail about service to unauthenticated users

The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The...

CasGate Security Vulnerability

CasGate is an open source identity and access management software from the CasGate project. A security vulnerability exists in versions of CasGate prior to 0.1.0, which stems from a vulnerability that allows an unauthenticated, remote attacker to obtain sensitive information via a GET request to ...

CVE-2024-29199

CVE-2024-29199 affects Nautobot, where multiple URL endpoints were accessible to unauthenticated users due to default EXEMPT_VIEW_PERMISSIONS behavior. The root cause is improper access control exposing data unless permissions are explicitly granted. The vulnerability is mitigated by fixes in Nau...

GHSA-M732-WVH2-7CQ4 Unauthenticated views may expose information to anonymous users

Impact A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated anonymous users, including the following: - /api/graphql/ 1 - /api/users/users/session/ Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes...

Design/Logic Flaw

A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 All versions = V2.0 = V2.0 V2.1. The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources...

CVE-2022-34776 Tabit - giftcard stealth

Tabit - giftcard stealth. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described APIs, has in its URL one or more MongoDB ID which is not...

resteasy: Error message exposes endpoint class information

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The...

CVE-2021-39884

CVE-2021-39884 affects GitLab Enterprise Edition (EE) back to 8.13; an endpoint reveals the names of private groups that have access to a project to low-privilege users embedded in that project. The root cause and exact vulnerable component are not expanded beyond “an endpoint discloses group nam...

Cross site request forgery (csrf)

An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request...

CVE-2019-5463

An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6...

UBUNTU-CVE-2018-12227

An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However,...

FreeBSD : asterisk -- PJSIP endpoint presence disclosure when using ACL (0137167b-6dca-11e8-a671-001999f8d30b)

The Asterisk project reports : When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot ...

Shopify: A 'Full access' administrator is able to see the shop owners user details

Description ==== A 'Full access' administrator is usually forbidden to see the shop owners user profile. But the endpoint shop.myshopify.com/admin/users.json does disclose the shop owners profile. As the user listing includes all fields of users this does leak the user details of the shop owner. ...