| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1000123 |
532 |
|
+Info |
2018-03-13 |
2018-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ionic Team Cordova plugin iOS Keychain version before commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf contains an Information Exposure Through Log Files (CWE-532) vulnerability in CDVKeychain.m that can result in login, password and other sensitive data leakage. This attack appear to be exploitable via Attacker must have access to victim's iOS logs. This vulnerability appears to have been fixed in after commit 18233ca25dfa92cca018b9c0935f43f78fd77fbf. |
|
2 |
CVE-2018-1000089 |
532 |
|
|
2018-03-13 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4. |
|
3 |
CVE-2018-1000018 |
532 |
|
|
2018-01-24 |
2018-08-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file. |
|
4 |
CVE-2018-19786 |
532 |
|
|
2018-12-05 |
2018-12-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
HashiCorp Vault before 1.0.0 writes the master key to the server log in certain unusual or misconfigured scenarios in which incorrect data comes from the autoseal mechanism without an error being reported. |
|
5 |
CVE-2018-17447 |
532 |
|
|
2018-10-23 |
2018-12-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An Information Exposure Through Log Files issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4. |
|
6 |
CVE-2018-16049 |
532 |
|
|
2018-10-03 |
2018-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Sensitive Data Disclosure in Sidekiq Logs through an Error Message. |
|
7 |
CVE-2018-14700 |
532 |
|
|
2018-12-03 |
2018-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter. |
|
8 |
CVE-2018-12604 |
532 |
|
+Info |
2018-06-20 |
2018-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log. |
|
9 |
CVE-2018-11717 |
532 |
|
+Info |
2018-07-16 |
2018-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the cleartext password of recovery_password of Android devices, the cleartext password of account "set", the location of devices enrolled in the platform (with UUID and information related to the name of the person at the location), critical information about all enrolled devices such as Serial Number, UUID, Model, Name, and auth_session_token (usable to spoof a terminal identity on the platform), etc. |
|
10 |
CVE-2018-11716 |
532 |
|
|
2018-07-16 |
2018-09-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444. |
|
11 |
CVE-2018-11320 |
532 |
|
|
2018-05-21 |
2018-06-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. |
|
12 |
CVE-2018-10889 |
532 |
|
|
2018-07-10 |
2018-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. |
|
13 |
CVE-2018-10855 |
532 |
|
|
2018-07-02 |
2019-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. |
|
14 |
CVE-2018-8719 |
532 |
|
|
2018-04-04 |
2018-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information. |
|
15 |
CVE-2018-7683 |
532 |
|
|
2018-06-21 |
2018-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files. |
|
16 |
CVE-2018-7682 |
532 |
|
|
2018-06-22 |
2018-08-10 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains. |
|
17 |
CVE-2018-7433 |
532 |
|
|
2018-03-02 |
2018-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page. |
|
18 |
CVE-2018-6599 |
532 |
|
+Info |
2018-08-29 |
2018-10-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls. |
|
19 |
CVE-2018-5693 |
532 |
|
|
2018-01-13 |
2018-09-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog. |
|
20 |
CVE-2018-3828 |
532 |
|
+Info |
2018-09-19 |
2018-12-12 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials. |
|
21 |
CVE-2018-3776 |
532 |
|
|
2018-08-12 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. |
|
22 |
CVE-2018-3609 |
532 |
|
Bypass |
2018-02-16 |
2018-03-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance 9.0 and 9.1 management portal could allow an unauthenticated user to access sensitive information in a particular log file that could be used to bypass authentication on vulnerable installations. |
|
23 |
CVE-2018-2440 |
532 |
|
|
2018-07-10 |
2018-09-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Under certain circumstances SAP Dynamic Authorization Management (DAM) by NextLabs (Java Policy Controller versions 7.7 and 8.5) exposes sensitive information in the application logs. |
|
24 |
CVE-2018-1876 |
532 |
|
|
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Robotic Process Automation with Automation Anywhere 11 could under certain cases, display the password in a Control Room log file after installation. IBM X-Force ID: 151707. |
|
25 |
CVE-2018-1788 |
532 |
|
|
2018-11-02 |
2018-12-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Spectrum Protect Server 7.1 and 8.1 could disclose highly sensitive information via trace logs to a local privileged user. IBM X-Force ID: 148873. |
|
26 |
CVE-2018-1768 |
532 |
|
|
2018-09-26 |
2018-11-15 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Spectrum Protect Plus 10.1.0 and 10.1.1 could disclose sensitive information when an authorized user executes a test operation, the user id an password may be displayed in plain text within an instrumentation log file. IBM X-Force ID: 148622. |
|
27 |
CVE-2018-1350 |
532 |
|
|
2018-03-26 |
2018-04-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system enumeration. |
|
28 |
CVE-2018-1349 |
532 |
|
|
2018-03-26 |
2018-04-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system or configuration enumeration. |
|
29 |
CVE-2018-1264 |
532 |
|
+Priv |
2018-10-05 |
2018-12-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Cloud Foundry Log Cache, versions prior to 1.1.1, logs its UAA client secret on startup as part of its envstruct report. A remote attacker who has gained access to the Log Cache VM can read this secret, gaining all privileges held by the Log Cache UAA client. In the worst case, if this client is an admin, the attacker would gain complete control over the Foundation. |
|
30 |
CVE-2018-1198 |
532 |
|
|
2018-09-17 |
2018-11-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser password in plain text during BOSH deployment logs. A malicious user with access to the logs could escalate their privileges using this password. |
|
31 |
CVE-2018-1072 |
532 |
|
+Info |
2018-06-26 |
2018-08-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords. |
|
32 |
CVE-2018-0504 |
532 |
|
|
2018-10-04 |
2018-11-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains an information disclosure flaw in the Special:Redirect/logid |
|
33 |
CVE-2018-0042 |
532 |
|
|
2018-07-11 |
2018-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Juniper Networks CSO versions prior to 4.0.0 may log passwords in log files leading to an information disclosure vulnerability. |
|
34 |
CVE-2017-1000171 |
532 |
|
|
2017-11-03 |
2017-11-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text. |
|
35 |
CVE-2017-16946 |
532 |
|
|
2017-11-25 |
2017-12-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. |
|
36 |
CVE-2017-15572 |
532 |
|
+Info |
2017-10-17 |
2018-05-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. |
|
37 |
CVE-2017-15113 |
532 |
|
|
2018-07-27 |
2018-10-01 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues. |
|
38 |
CVE-2017-8075 |
532 |
|
|
2017-04-23 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "Switch Info" log lines where passwords are in cleartext. This affects the 1.1.2 Build 20141017 Rel.50749 firmware. |
|
39 |
CVE-2017-8074 |
532 |
|
|
2017-04-23 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "SEND data" log lines where passwords are encoded in hexadecimal. This affects the 1.1.2 Build 20141017 Rel.50749 firmware. |
|
40 |
CVE-2017-7550 |
532 |
|
|
2017-11-21 |
2017-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. |
|
41 |
CVE-2017-7434 |
532 |
|
|
2018-03-02 |
2018-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the JDBC driver of NetIQ Identity Manager before 4.6 sending out incorrect XML configurations could result in passwords being logged into exception logfiles. |
|
42 |
CVE-2017-7214 |
532 |
|
|
2017-03-21 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. |
|
43 |
CVE-2017-6165 |
532 |
|
|
2017-10-20 |
2017-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through 11.6.1 HF1, and 12.0.0 through 12.1.2 on VIPRION platforms only, the script which synchronizes SafeNet External Network HSM configuration elements between blades in a clustered deployment will log the HSM partition password in cleartext to the "/var/log/ltm" log file. |
|
44 |
CVE-2017-6139 |
532 |
|
|
2017-12-21 |
2018-01-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare conditions, the BIG-IP APM system appends log details when responding to client requests. Details in the log file can vary; customers running debug mode logging with BIG-IP APM are at highest risk. |
|
45 |
CVE-2017-5549 |
532 |
|
+Info |
2017-02-06 |
2018-08-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log. |
|
46 |
CVE-2017-5153 |
532 |
|
|
2017-02-13 |
2017-03-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier versions, and PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit. An information exposure through server log files vulnerability has been identified, which may allow service account passwords to become exposed for the affected services, potentially leading to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials. |
|
47 |
CVE-2017-5137 |
532 |
|
|
2017-02-05 |
2017-02-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered on SendQuick Entera and Avera devices before 2HF16. An attacker could request and download the SMS logs from an unauthenticated perspective. |
|
48 |
CVE-2017-2621 |
532 |
|
|
2018-07-27 |
2018-09-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. |
|
49 |
CVE-2017-2592 |
532 |
|
+Info |
2018-05-08 |
2018-06-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens). |
|
50 |
CVE-2017-1795 |
532 |
|
+Info |
2018-07-06 |
2018-08-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere MQ 7.5, 8.0, and 9.0 through 9.0.4 could allow a local user to obtain highly sensitive information via trace logs in IBM WebSphere MQ Managed File Transfer. IBM X-Force ID: 137042. |
