CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-200

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1020002 200 +Info 2019-07-29 2019-07-31
5.0
None Remote Low Not required Partial None None
Pterodactyl before 0.7.14 with 2FA allows credential sniffing.
2 CVE-2019-1010299 200 +Info 2019-07-15 2019-10-09
5.0
None Remote Low Not required Partial None None
The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d.
3 CVE-2019-1010283 200 +Info 2019-07-17 2019-10-09
5.0
None Remote Low Not required Partial None None
Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.
4 CVE-2019-1010257 200 +Info 2019-03-27 2019-08-03
7.5
None Remote Low Not required Partial Partial Partial
An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. A URL can be constructed which allows overriding the PDF file's path leading to any PDF whose path is known and which is readable to the web server can be downloaded. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension.
5 CVE-2019-1010246 200 +Info 2019-07-18 2019-07-29
5.0
None Remote Low Not required Partial None None
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersController.php. The attack vector is: HTTP Get request. The fixed version is: c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9.
6 CVE-2019-1010025 200 Bypass +Info 2019-07-15 2019-08-05
5.0
None Remote Low Not required Partial None None
** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."
7 CVE-2019-1010024 200 Bypass +Info 2019-07-15 2019-09-20
5.0
None Remote Low Not required Partial None None
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.
8 CVE-2019-1003045 200 +Info 2019-03-28 2019-10-09
4.0
None Remote Low Single system Partial None None
A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.
9 CVE-2019-1003037 200 +Info 2019-03-08 2019-10-09
4.0
None Remote Low Single system Partial None None
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
10 CVE-2019-1003025 200 +Info 2019-02-20 2019-10-09
4.0
None Remote Low Single system Partial None None
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
11 CVE-2019-1003021 200 +Info 2019-02-06 2019-10-09
4.3
None Remote Medium Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
12 CVE-2019-1003018 200 +Info 2019-02-06 2019-10-09
4.3
None Remote Medium Not required Partial None None
An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
13 CVE-2019-17110 200 +Info 2019-10-03 2019-10-10
5.0
None Remote Low Not required Partial None None
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
14 CVE-2019-16922 200 +Info 2019-09-27 2019-10-01
5.0
None Remote Low Not required Partial None None
SuiteCRM 7.10.x before 7.10.20 and 7.11.x before 7.11.8 allows unintended public exposure of files.
15 CVE-2019-16910 200 +Info 2019-09-26 2019-10-03
2.6
None Remote High Not required Partial None None
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
16 CVE-2019-16738 200 +Info 2019-09-25 2019-09-26
5.0
None Remote Low Not required Partial None None
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
17 CVE-2019-16714 200 +Info 2019-09-23 2019-09-24
5.0
None Remote Low Not required Partial None None
In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.
18 CVE-2019-16409 200 +Info 2019-09-26 2019-10-01
5.0
None Remote Low Not required Partial None None
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)
19 CVE-2019-16394 200 +Info 2019-09-17 2019-09-25
5.0
None Remote Low Not required Partial None None
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
20 CVE-2019-16320 200 +Info 2019-09-15 2019-09-18
5.0
None Remote Low Not required Partial None None
Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel's latitude and longitude, via the public SNMP community.
21 CVE-2019-16187 200 +Info CSRF 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
22 CVE-2019-16180 200 +Info 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authentication method is used.
23 CVE-2019-16177 200 +Info 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
In Limesurvey before 3.17.14, the entire database is exposed through browser caching.
24 CVE-2019-16176 200 +Info 2019-09-09 2019-09-10
5.0
None Remote Low Not required Partial None None
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the application in the filesystem.
25 CVE-2019-16101 200 +Info 2019-09-08 2019-09-09
5.0
None Remote Low Not required Partial None None
Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to obtain potentially sensitive stack traces by sending incorrect JSON data to the REST API, such as the rest/json/banners URI.
26 CVE-2019-15902 200 +Info 2019-09-04 2019-10-10
4.7
None Local Medium Not required Complete None None
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
27 CVE-2019-15891 200 +Info 2019-09-26 2019-10-01
5.0
None Remote Low Not required Partial None None
An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3.5.0. The documentation has misleading information that could lead to a conclusion that the application has a built-in bulletproof content sniffing protection.
28 CVE-2019-15740 200 +Info 2019-09-16 2019-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 7.9 through 12.2.1. EXIF Geolocation data was not being removed from certain image uploads.
29 CVE-2019-15738 200 +Info 2019-09-16 2019-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Under certain conditions, merge request IDs were being disclosed via email.
30 CVE-2019-15734 200 +Info 2019-09-16 2019-09-18
4.0
None Remote Low Single system Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these.
31 CVE-2019-15733 200 +Info 2019-09-16 2019-09-17
4.0
None Remote Low Single system Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1. The specified default branch name could be exposed to unauthorized users.
32 CVE-2019-15732 200 Bypass +Info 2019-09-16 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
33 CVE-2019-15729 200 +Info 2019-09-17 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request.
34 CVE-2019-15727 200 +Info 2019-09-16 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 11.2 through 12.2.1. Insufficient permission checks were being applied when displaying CI results, potentially exposing some CI metrics data to unauthorized users.
35 CVE-2019-15726 200 +Info 2019-09-16 2019-09-18
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition through 12.2.1. Embedded images and media files in markdown could be pointed to an arbitrary server, which would reveal the IP address of clients requesting the file from that server.
36 CVE-2019-15725 200 +Info 2019-09-16 2019-09-17
5.0
None Remote Low Not required Partial None None
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. An IDOR in the epic notes API that could result in disclosure of private milestones, labels, and other information.
37 CVE-2019-15698 200 +Info 2019-08-27 2019-08-29
4.0
None Remote Low Single system Partial None None
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
38 CVE-2019-15553 200 +Info 2019-08-26 2019-09-05
5.0
None Remote Low Not required Partial None None
An issue was discovered in the memoffset crate before 0.5.0 for Rust. offset_of and span_of can cause exposure of uninitialized memory.
39 CVE-2019-15514 200 +Info 2019-08-23 2019-08-30
5.0
None Remote Low Not required Partial None None
The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.
40 CVE-2019-15506 200 +Info 2019-08-26 2019-08-26
7.8
None Remote Low Not required Complete None None
An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this critical information and parse it for information. There are a number of directories affected.
41 CVE-2019-15330 200 +Info 2019-08-22 2019-08-29
5.0
None Remote Low Not required Partial None None
The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading.
42 CVE-2019-15138 200 +Info 2019-09-20 2019-09-23
5.0
None Remote Low Not required Partial None None
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
43 CVE-2019-15135 200 +Info 2019-08-18 2019-08-29
5.0
None Remote Low Not required Partial None None
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network.
44 CVE-2019-15132 200 +Info 2019-08-17 2019-08-29
5.0
None Remote Low Not required Partial None None
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
45 CVE-2019-15129 200 +Info 2019-08-18 2019-08-30
5.0
None Remote Low Not required Partial None None
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_name] URI.
46 CVE-2019-15046 200 +Info 2019-08-14 2019-08-21
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
47 CVE-2019-15045 200 +Info 2019-08-21 2019-08-30
5.0
None Remote Low Not required Partial None None
** DISPUTED ** AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality.
48 CVE-2019-15035 200 +Info 2019-10-01 2019-10-08
4.0
None Remote Low Single system Partial None None
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could get access to potentially confidential server-level data. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
49 CVE-2019-15031 200 +Info 2019-09-13 2019-09-18
3.6
None Local Low Not required Partial None Partial
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c.
50 CVE-2019-15021 200 +Info 2019-10-09 2019-10-11
5.0
None Remote Low Not required Partial None None
A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network.
Total number of vulnerabilities : 6316   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.