Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

CVEs (321)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-53683 - - Jan 17, 2025 Jan 17, 2025 5.6 MEDIUM· v4 4.4 MEDIUM· v3 N/A· v2 A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the trans...Show more A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the translation files and thus weaken the integrity of normal use.Show less
CVE-2024-11029 - - Jan 15, 2025 Jan 15, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credential...Show more A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal database. In the worst-case scenario, where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.Show less
CVE-2025-0061 1Sap 1Businessobjects Business Intelligence Platform Oct 24, 2025 Jan 14, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker c...Show more SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application.Show less
CVE-2025-0059 - - Jan 14, 2025 Jan 14, 2025 N/A· v4 6.0 MEDIUM· v3 N/A· v2 Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s use...Show more Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.Show less
CVE-2025-0056 - - Jan 14, 2025 Jan 14, 2025 N/A· v4 6.0 MEDIUM· v3 N/A· v2 SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data....Show more SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.Show less
CVE-2025-0055 - - Jan 14, 2025 Jan 14, 2025 N/A· v4 6.0 MEDIUM· v3 N/A· v2 SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System l...Show more SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application.Show less
CVE-2024-45640 1Ibm 1Security Qradar Edr Jul 15, 2025 Jan 7, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 IBM Security ReaQta 3.12 returns sensitive information in an HTTP response that could be used in further attacks against the system.
CVE-2024-52367 1Ibm 1Concert Jul 18, 2025 Jan 7, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could disclose sensitive system information to an unauthorized actor that could be used in further attacks against the system.
CVE-2024-12993 - - Dec 30, 2024 Dec 30, 2024 4.8 MEDIUM· v4 N/A· v3 N/A· v2 Infinix devices contain a pre-loaded "com.rlk.weathers" application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the user’s location without any privileges. After...Show more Infinix devices contain a pre-loaded "com.rlk.weathers" application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the user’s location without any privileges. After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices.Show less
CVE-2024-52321 - - Dec 23, 2024 Dec 23, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote unauthenticated attac...Show more Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote unauthenticated attacker.Show less
CVE-2024-54279 - - Apr 29, 2026 Dec 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tobias Keller WP-NERD Toolkit wp-nerd-toolkit.This issue affects WP-NERD Toolkit: from n/a through <= 1.1.
CVE-2023-23472 1Ibm 1Infosphere Information Server Mar 11, 2025 Dec 11, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM InfoSphere DataStage Flow Designer (InfoSphere Information Server 11.7) could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system.
CVE-2024-32732 1Sap 1Businessobjects Business Intelligence Platform Oct 28, 2025 Dec 10, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity...Show more Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.Show less
CVE-2024-53814 1Analytify 1Analytify Google Analytics Dashboard Apr 23, 2026 Dec 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Adnan Analytify wp-analytify.This issue affects Analytify: from n/a through <= 5.4.3.
CVE-2024-53867 - - Dec 3, 2024 Dec 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages,...Show more Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.Show less
CVE-2024-25035 1Ibm 1Cognos Controller Dec 11, 2024 Dec 3, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 IBM Cognos Controller 11.0.0 and 11.0.1 exposes server details that could allow an attacker to obtain information of the application environment to conduct further attacks.
CVE-2024-53768 - - Apr 23, 2026 Nov 30, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ideinteractive Content Audit Exporter content-audit-exporter allows Retrieve Embedded Sensitive Data.This issue affects Content...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ideinteractive Content Audit Exporter content-audit-exporter allows Retrieve Embedded Sensitive Data.This issue affects Content Audit Exporter: from n/a through <= 1.1.Show less
CVE-2024-22037 - - Nov 28, 2024 Nov 28, 2024 5.7 MEDIUM· v4 5.5 MEDIUM· v3 N/A· v2 The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged user...Show more The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.Show less
CVE-2024-10240 1Gitlab 1Gitlab Dec 13, 2024 Nov 26, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated...Show more An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.Show less
CVE-2024-9929 - - Nov 26, 2024 Nov 26, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps.

Previous 1...121314...17 Next