Security Vulnerabilities, CVEs, Published In April 2021 (Information Leak)
In app/Model/MispObject.php in MISP 2.4.141, an incorrect sharing group association could lead to information disclosure on an event edit. When an object has a sharing group associated with an event edit, the sharing group object is ignored and instead the passed local ID is reused.
Max CVSS
7.5
EPSS Score
0.17%
Published
2021-04-23
Updated
2021-05-05
pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.
Max CVSS
7.5
EPSS Score
0.31%
Published
2021-04-27
Updated
2021-05-04
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
Max CVSS
4.3
EPSS Score
0.07%
Published
2021-04-22
Updated
2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
Max CVSS
4.3
EPSS Score
0.06%
Published
2021-04-22
Updated
2022-07-12
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted.
Max CVSS
5.3
EPSS Score
0.09%
Published
2021-04-22
Updated
2021-04-22
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
Max CVSS
7.5
EPSS Score
0.66%
Published
2021-04-27
Updated
2022-10-27
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential.
Max CVSS
7.5
EPSS Score
0.74%
Published
2021-04-28
Updated
2022-10-25
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices.
Max CVSS
9.8
EPSS Score
1.72%
Published
2021-04-28
Updated
2022-10-25
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" user exists.
Max CVSS
4.3
EPSS Score
0.08%
Published
2021-04-09
Updated
2022-07-12
An issue was discovered in LATRIX 0.6.0. SQL injection in the txtaccesscode parameter of inandout.php leads to information disclosure and code execution.
Max CVSS
9.8
EPSS Score
0.22%
Published
2021-04-02
Updated
2021-04-07
ManageWiki is an extension to the MediaWiki project. The 'wikiconfig' API leaked the value of private configuration variables set through the ManageWiki variable to all users. This has been patched by https://github.com/miraheze/ManageWiki/compare/99f3b2c8af18...befb83c66f5b.patch. If you are unable to patch set `$wgAPIListModules['wikiconfig'] = 'ApiQueryDisabled';` or remove private config as a workaround.
Max CVSS
9.4
EPSS Score
0.19%
Published
2021-04-28
Updated
2021-05-08
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
Max CVSS
6.5
EPSS Score
0.46%
Published
2021-04-15
Updated
2021-04-23
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
Max CVSS
5.5
EPSS Score
0.04%
Published
2021-04-12
Updated
2021-10-20
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.
Max CVSS
8.0
EPSS Score
0.07%
Published
2021-04-13
Updated
2021-10-20
Microsoft Excel Information Disclosure Vulnerability
Max CVSS
5.5
EPSS Score
0.86%
Published
2021-04-13
Updated
2023-12-29
Windows Portmapping Information Disclosure Vulnerability
Max CVSS
7.1
EPSS Score
0.04%
Published
2021-04-13
Updated
2023-12-30
Windows TCP/IP Information Disclosure Vulnerability
Max CVSS
6.5
EPSS Score
1.92%
Published
2021-04-13
Updated
2023-12-29
Windows Hyper-V Information Disclosure Vulnerability
Max CVSS
6.5
EPSS Score
0.04%
Published
2021-04-13
Updated
2023-12-29
Windows Installer Information Disclosure Vulnerability
Max CVSS
5.5
EPSS Score
0.04%
Published
2021-04-13
Updated
2023-12-29
Windows Event Tracing Information Disclosure Vulnerability
Max CVSS
5.5
EPSS Score
0.04%
Published
2021-04-13
Updated
2023-12-29
Windows DNS Information Disclosure Vulnerability
Max CVSS
6.5
EPSS Score
1.92%
Published
2021-04-13
Updated
2023-12-29
Windows SMB Information Disclosure Vulnerability
Max CVSS
6.5
EPSS Score
1.92%
Published
2021-04-13
Updated
2023-12-29
Windows SMB Information Disclosure Vulnerability
Max CVSS
7.5
EPSS Score
5.14%
Published
2021-04-13
Updated
2023-12-29
Windows DNS Information Disclosure Vulnerability
Max CVSS
6.5
EPSS Score
0.70%
Published
2021-04-13
Updated
2023-12-29
Windows GDI+ Information Disclosure Vulnerability
Max CVSS
5.5
EPSS Score
0.04%
Published
2021-04-13
Updated
2023-12-29