Chain Sea Information Integration Co., Ltd Security Vulnerabilities

Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Mattermost fails to check whether the "Allow users to view archived channels" setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the "Allow users to view archived channels" setting is...

Time-Based Information Disclosure Vulnerability in Flow

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to Eclipse Jetty (CVE-2024-22201)

Summary IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to a denial of service due to Eclipse Jetty. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-22201 DESCRIPTION: **Eclipse Jetty is...

CVE-2024-37680

Hangzhou Meisoft Information Technology Co., Ltd. FineSoft <=8.0 is affected by Cross Site Scripting (XSS) which allows remote attackers to execute arbitrary code. Enter any account and password, click Login, the page will report an error, and a controllable parameter will appear at the...

Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the full name of another user even if the Show Full Name option was...

Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing...

Puppet Server/PuppetDB - Sensitive Information Disclosure

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left...

Cisco RV132W/RV134W Router - Information Disclosure

Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential...

Events information leaked with shared calendars on recurrence exceptions

Description Impact Private shared calendar events' recurrence exceptions can be read by sharees. Patches It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 It is recommended that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1...

AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure

AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all.....

Lotus Domino R5 and R6 WebMail - Information Disclosure

Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and.....

Denial Of Service (DoS) / Information Disclosure

io.airlift: aircompressor is vulnerable to Denial Of Service (DoS) / Information Disclosure. The vulnerability is due to improper memory bounds checking during data decompression, caused by the use of the sun.misc.Unsafe class without additional safeguards. This can lead to out-of-bounds memory...

TYPO3 Information Disclosure in User Authentication

It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user...

Digital Watchdog DW Spectrum Server 4.2.0.32842 - Information Disclosure

Digital Watchdog DW Spectrum Server 4.2.0.32842 allows attackers to access sensitive infromation via a crafted API...

LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those...

TYPO3 Information Disclosure in User Authentication

It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user...

User Meta WP Plugin < 3.1 - Sensitive Information Exposure

The User Meta is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0 via the /views/debug.php file. This makes it possible for unauthenticated attackers, with to extract sensitive configuration...

TYPO3 Information Disclosure in Install Tool

The Install Tool exposes the current TYPO3 version number to non-authenticated...

Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not...

New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea

By Waqas Unfading Sea Haze's modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs' investigation. This is a post from HackRead.com Read the original post: New APT Group "Unfading Sea Haze" Hits Military Targets in South China...

CVE-2023-38151

Microsoft Host Integration Server 2020 Remote Code Execution...

Exposure Of Sensitive Information To An Unauthorized Actor

Moodle is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. The vulnerability is due to misconfiguration in a shared hosting environment, allowing a user with access to restore workshop modules and direct access to the web server outside of the Moodle webroot to execute a...

TYPO3 Information Disclosure in Page Tree

It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this...

Release Information for Veeam Backup & Replication 12.1 and Updates

Release Information for Veeam Backup & Replication 12.1 and...

TYPO3 Information Disclosure in Page Tree

It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this...

Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not...

Zend-Captcha Information Disclosure and Insufficient Entropy vulnerability

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not...

TYPO3 Information Disclosure in Install Tool

The Install Tool exposes the current TYPO3 version number to non-authenticated...

ZendFramework Potential Information Disclosure and Insufficient Entropy vulnerabilities

In Zend Framework 2, the Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed.....

Zendframework Potential Information Disclosure and Insufficient Entropy vulnerability

In Zend Framework, Zend_Captcha_Word (v1) and Zend\Captcha\Word (v2) generate a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this advisory, the selection was performed using PHP's internal array_rand() function. This function does not...

Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault

Hashicorp Vault may expose sensitive log information in...

ZendFramework Potential Information Disclosure and Insufficient Entropy vulnerabilities

In Zend Framework 2, the Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed.....

Security Bulletin: IBM QRadar Suite software is vulnerable to information exposure

Summary IBM QRadar Suite software is vulnerable to information exposure through cache data. This has been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability...

APM Server vulnerable to Insertion of Sensitive Information into Log File

An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this...

Certain HP LaserJet Pro Printers – Potential Information Disclosure

A user with device administrative privileges can change existing SMTP server settings on the device, without having to re-enter SMTP server credentials. By redirecting send-to-email traffic to the new server, the original SMTP server credentials may potentially be exposed. Update your printer...

Aimeos HTML client may potentially reveal sensitive information in error log

Impact Debug information can reveal sensitive information from environment variables in error log Affected platform Laravel environments with multi-vendor setups and admin access for the...

Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

Cilium leaks sensitive information in cilium-bugtool in...

Silverstripe CMS information disclosure

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to.....

Aimeos HTML client may potentially reveal sensitive information in error log

Debug information can reveal sensitive information from environment variables in error...

[SECURITY] Fedora 39 Update: freeipa-4.12.1-1.fc39

IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

CVE-2024-24919 Bulk Scanner CVE-2024-24919 [Check Point...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

Vulnerability Scanner for CVE-2024-24919 (need Shodan API)...

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an...

Aimeos HTML client may potentially reveal sensitive information in error log

Impact Debug information can reveal sensitive information from environment variables in error log Affected platform Laravel environments with multi-vendor setups and admin access for the...

Sensitive Information leak via Log File in Kubernetes

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects &lt;...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

CVE-2024-24919-POC Read about it -...

Advanced Contact form 7 DB <= 2.0.2 - Sensitive Information Exposure

Description The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data...

Information Disclosure

mantisbt/mantisbt is vulnerable to Information Disclosure. The vulnerability is due to insufficient access checks when generating hyperlinks for users who do not have access, allowing some information to be revealed via the link, link label, and...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

CVE-2024-24919-Exploit Overview This repository contains...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

...