Export limit exceeded: 26069 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (26069 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2408 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 4.3 Medium |
| The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels. | ||||
| CVE-2023-27265 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 2.7 Low |
| Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | ||||
| CVE-2023-27266 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 2.7 Low |
| Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response. | ||||
| CVE-2023-1562 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 3.5 Low |
| Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner. | ||||
| CVE-2023-1775 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 4.3 Medium |
| When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. | ||||
| CVE-2023-1777 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 6.5 Medium |
| Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message. | ||||
| CVE-2023-1831 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 7.2 High |
| Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | ||||
| CVE-2023-2281 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 3.1 Low |
| When archiving a team, Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display name, description, and other data about the archived team. | ||||
| CVE-2023-2514 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 6.7 Medium |
| Mattermost Sever fails to redact the DB username and password before emitting an application log during server initialization. | ||||
| CVE-2023-2808 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 4.3 Medium |
| Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link. | ||||
| CVE-2023-2792 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 6.5 Medium |
| Mattermost fails to sanitize ephemeral error messages, allowing an attacker to obtain arbitrary message contents by a specially crafted /groupmsg command. | ||||
| CVE-2024-11159 | 2 Mozilla, Redhat | 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more | 2024-12-06 | 5.3 Medium |
| Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1. | ||||
| CVE-2022-42792 | 1 Apple | 2 Ipados, Iphone Os | 2024-12-06 | 5.5 Medium |
| This issue was addressed with improved data protection. This issue is fixed in iOS 16.1 and iPadOS 16. An app may be able to read sensitive location information | ||||
| CVE-2023-34110 | 1 Flask-appbuilder Project | 1 Flask-appbuilder | 2024-12-06 | 2.7 Low |
| Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2. | ||||
| CVE-2023-2991 | 1 Globalscape | 1 Eft Server | 2024-12-06 | 5.3 Medium |
| Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message | ||||
| CVE-2024-28103 | 2 Rails, Rubyonrails | 2 Rails, Rails | 2024-12-06 | 5.4 Medium |
| Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. | ||||
| CVE-2023-25500 | 1 Vaadin | 1 Vaadin | 2024-12-05 | 3.5 Low |
| Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. | ||||
| CVE-2023-25499 | 1 Vaadin | 1 Vaadin | 2024-12-05 | 5.7 Medium |
| When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. | ||||
| CVE-2023-21192 | 1 Google | 1 Android | 2024-12-04 | 7.8 High |
| In setInputMethodWithSubtypeIdLocked of InputMethodManagerService.java, there is a possible way to setup input methods that are not enabled due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227207653 | ||||
| CVE-2023-33201 | 2 Bouncycastle, Redhat | 10 Bc-java, Amq Broker, Amq Streams and 7 more | 2024-12-04 | 5.3 Medium |
| Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. | ||||