Generation of Error Message Containing Sensitive Information

Description The software generates an error message that includes sensitive information about its environment, users, or associated data. Proof of Concept When logging in, the login page will tell you whether or not a username exists which is a vulnerability since it can be paired with the lack o...

Design/Logic Flaw

Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. By tweaking the license file name, the returned error message exposes internal directory path details...

EulerOS 2.0 SP3 : gdk-pixbuf2 (EulerOS-SA-2022-1721)

According to the versions of the gdk-pixbuf2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service NULL pointer dereference and...

GHSA-QMF3-W5JF-CV54 XSS vulnerability in Jenkins Subversion Partial Release Manager Plugin

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation. This results in a reflected cross-site scripting XSS vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users...

GHSA-X3PR-FCGM-WJGC Subversion Plugin stored XSS vulnerability

Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability. Subversion Plugin 2.13.1 escapes the affected part of the error message...

GHSA-JW86-5CJF-MV79 HTML Purifier allows remote attackers to obtain sensitive information

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

GHSA-R7P6-FR3X-R877 CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file

CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by dispatcher.php and certain other files...

GHSA-MM32-JW73-9227 Plone is vulnerable to File System Path Exposure

The WYSIWYG component wysiwyg.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message...

TYPO3 Cross-site scripting (XSS) vulnerability in the Extbase Framework

Cross-site scripting XSS vulnerability in the errorAction method in the ActionController base class in the Extbase Framework in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6, when the Rewritten Property Mapper is enabled, allows remote attackers t...

TYPO3 Flow Cross-site scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow formerly FLOW3 1.1.x before 1.1.1 and 2.0.x before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message...

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and Jérôme Segura Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information. Although all countries have reasons to be...

GHSA-WM9C-VCV2-VPQC phpMyAdmin full path disclosure vulnerability

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving 1 an array value to FormDisplay.php, 2 incorrect data to validate.php, 3 unexpected data to Validator.php, 4 a missing config directory...

GHSA-MWM8-36C5-J5CF phpMyAdmin Cross-site scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message...

phpCAS client library and Moodle Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message...

GHSA-45CH-HXGR-VX8J phpCAS client library and Moodle Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message...

CVE-2022-22798 Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control

Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he needs to change the path in the URL to /ConcurrentLogin%2ejsp...

Unspecified Vulnerability in IBM Guardium Data Encryption (CNVD-2022-41644)

IBM Guardium Data Encryption GDE is a software application from IBM, USA. Provides a data security and compliance solution. A security vulnerability exists in IBM Guardium Data Encryption GDE. A remote attacker could exploit the vulnerability to obtain sensitive information when a technical error...

CVE-2021-39023

IBM Guardium Data Encryption GDE 4.0.0 and 5.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 213860...

JetBrains IntelliJ IDEA Cross-Site Scripting Vulnerability

JetBrains IntelliJ IDEA is a set of integrated development environments for the Java language from Jetbrains Czech Republic.A cross-site scripting vulnerability exists in versions prior to JetBrains IntelliJ IDEA 2022.1, which stems from an error message in the internal web server that lacks a...