Search
Search Results (26 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48941 | 1 Mybb | 1 Mybb | 2025-07-02 | 5.3 Medium |
| MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue. | ||||
| CVE-2024-9099 | 1 Lunary | 1 Lunary | 2025-04-10 | 8.1 High |
| In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend. | ||||
| CVE-2025-1921 | 1 Google | 1 Chrome | 2025-04-01 | 6.5 Medium |
| Inappropriate implementation in Media Stream in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to obtain information about a peripheral via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2023-1974 | 1 Answer | 1 Answer | 2025-02-07 | 6.5 Medium |
| Exposure of Sensitive Information Through Metadata in GitHub repository answerdev/answer prior to 1.0.8. | ||||
| CVE-2024-53291 | 1 Dell | 1 Nativeedge Orchestrator | 2025-01-29 | 7.5 High |
| Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | ||||
| CVE-2021-4159 | 3 Debian, Linux, Redhat | 3 Debian Linux, Linux Kernel, Enterprise Linux | 2024-11-21 | 4.4 Medium |
| A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. | ||||