97 matches found
LibreChat 安全漏洞
LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A security vulnerability exists in LibreChat that stems from a lack of proper filtering when automatically binding user-supplied data to internal object properties or database fields, which could lead to manipulation and...
CVE-2025-54831
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was...
Linux Distros Unpatched Vulnerability : CVE-2023-41321
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses...
CVE-2024-35189
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve ConnectionConfiguration records and their associated secrets which can contain sensitive data e.g. passwords, private keys, etc.. These secrets are stored encrypted at rest in the...
CVE-2025-46720
Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...
CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...
CVE-2024-46918
app/Controller/UserLoginProfilesController.php in MISP before 2.4.198 does not prevent an org admin from viewing sensitive login fields of another org admin in the same org...
Sensitive Information Disclosure
ethycafides is vulnerable to Information Disclosure. The vulnerability is due to improper masking of nested sensitive fields such as privatekey in the BigQuery connection configuration, which allows an attacker to expose the sensitive fields in plaintext via certain API endpoints...
Directus allows redacted data extraction on the API through "alias"
Summary A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the alias functionality on the API. Normally, these redacted fields will return however if we change the request to ?aliasworkaround=redacted we can instead retrieve the...
CVE-2024-27930 Sensitive fields access through dropdowns in GLPI
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13...
CVE-2024-27930 Sensitive fields access through dropdowns in GLPI
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13...
BIT-SUITECRM-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
CVE-2023-45696
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser...
CVE-2023-45696
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser...
Design/Logic Flaw
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser...
CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire...
SalesAgility SuiteCRM Security Breach
Salesagility SalesAgility SuiteCRM is a suite of enterprise-grade, open source Customer Relationship Management CRM from Salesagility UK. A security vulnerability exists in SalesAgility SuiteCRM versions prior to 8.4.2 that stems from Graphql Introspection being enabled without authentication,...
PT-2023-30736 · Strapi · Strapi Protected Populate Plugin
Name of the Vulnerable Software and Affected Versions: Strapi Protected Populate Plugin versions prior to 1.3.4 Description: The issue allows users to bypass field level security, enabling them to populate fields they do not have access to. This affects get endpoints, which are protected by the...
Information Disclosure
label Studio is vulnerable to Information Disclosure. This vulnerability exists due to improper sensitive fields restrictions in the the object-relational mapper in serializers.py, allowing an attacker to access and sensitive filters...
PYSEC-2023-275
Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on t...