CVE-2022-27544 HCL BigFix Web Reports authorized users may see sensitive information in clear text

BigFix Web Reports authorized users may see SMTP credentials in clear text...

CVE-2022-27544

BigFix Web Reports authorized users may see SMTP credentials in clear text...

CVE-2022-1794 Plaintext Storage of a password in CODESYS V3 OPC DA Server

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system...

CVE-2022-22967

Removed by vendor...

CVE-2021-28509

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to...

GHSA-H77W-655F-6J3M Silverstripe CMS malicious file upload enables script execution

Silverstripe CMS through 4.5 can be susceptible to script execution from malicious upload contents under allowed file extensions for example HTML code in a TXT file. When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents. Upload...

CVE-2020-4047

In affected versions of WordPress, authenticated users with upload permissions like authors are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has...

Cross site scripting

Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine...

Cross site scripting

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to...

CVE-2022-26516

Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment...

Code injection

Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment...

CVE-2022-26516 ICSA-22-104-03 Red Lion DA50N

Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment...

Red Lion DA50N 数据伪造问题漏洞

The Red Lion DA50N is a series of secure edge network gateways from Red Lion, U.S.A. The Red Lion DA50N is vulnerable to a data forgery issue that stems from the possibility that an authorized user could install a maliciously modified package file when updating the device via the Web UI, and that...

Denial of service

Mattermost Playbooks plugin v1.24.0 and earlier fails to properly check the limit on the number of webhooks, which allows authenticated and authorized users to create a specifically drafted Playbook which could trigger a large amount of webhook requests leading to Denial of Service...

CVE-2021-38971

IBM Data Virtualization on Cloud Pak for Data 1.3.0, 1.4.1, 1.5.0, 1.7.1 and 1.7.3 could allow an authorized user to bypass data masking rules and obtain sensitve information. IBM X-Force ID: 212620...

CVE-2022-25243

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allowsubdomains is set to false. Fixed in Vault Enterprise 1.8.9...

HashiCorp Vault 信任管理问题漏洞

HashiCorp Vault is a private key access management tool from the US-based HashiCorp. HashiCorp Vault versions 1.8.0 through 1.8.8 and 1.9.3 have a trust management issue vulnerability that allows the PKI confidentiality engine to issue wildcard certificates to authorized users in specified domain...

CVE-2022-25243

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allowsubdomains is set to false. Fixed in Vault Enterprise 1.8.9...

Server Side Request Forgery (SSRF) in Kubernetes

The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery SSRF that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints...

DataEase 安全漏洞

DataEase is an open source data visualization and analysis tool. An access control error vulnerability exists in DataEase, which stems from the fact that the product allows authorized users to access all user information and change administrator passwords. No details of the vulnerability are...