Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2745 | 1 Rapid7 | 1 Insightvm | 2025-02-25 | N/A | 3.3 LOW |
| Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded. This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc. The vulnerability is remediated in version 6.6.244. | |||||
| CVE-2024-12012 | 2025-02-13 | N/A | 5.7 MEDIUM | ||
| A CWE-598 “Use of GET Request Method with Sensitive Query Strings” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. Both the SHA-1 hash of the password as well as the session tokens are included as part of the URL and therefore exposed to information leakage scenarios. An attacker capable of accessing such values (e.g., victim browser, network traffic inspection) can exploit this vulnerability to leak both the password hash as well as session tokens and bypass the authentication mechanism using a pass-the-hash attack. | |||||
| CVE-2023-32335 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2025-01-14 | N/A | 3.7 LOW |
| IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075. | |||||
| CVE-2024-28238 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 2.3 LOW |
| Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-38863 | 1 Checkmk | 1 Checkmk | 2024-12-03 | N/A | 7.5 HIGH |
| Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks. | |||||
| CVE-2024-31206 | 2024-11-21 | N/A | 8.2 HIGH | ||
| dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it. | |||||
| CVE-2023-6287 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2024-11-21 | N/A | 3.3 LOW |
| Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. | |||||
| CVE-2023-6014 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.8 CRITICAL |
| An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. | |||||
| CVE-2023-50954 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | N/A | 4.3 MEDIUM |
| IBM InfoSphere Information Server 11.7 returns sensitive information in URL information that could be used in further attacks against the system. IBM X-Force ID: 275776. | |||||
| CVE-2023-50328 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 3.7 LOW |
| IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110. | |||||
| CVE-2023-37935 | 1 Fortinet | 1 Fortios | 2024-11-21 | N/A | 6.5 MEDIUM |
| A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services. | |||||
| CVE-2023-25524 | 1 Nvidia | 1 Omniverse Launcher | 2024-11-21 | N/A | 4.0 MEDIUM |
| NVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user’s access token is displayed in the browser user's address bar. An attacker could use this token to impersonate the user to access launcher resources. A successful exploit of this vulnerability may lead to information disclosure. | |||||
| CVE-2023-22307 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2024-11-21 | N/A | 5.5 MEDIUM |
| Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files. | |||||
| CVE-2022-34452 | 1 Dell | 1 Powerpath Management Appliance | 2024-11-21 | N/A | 2.7 LOW |
| PowerPath Management Appliance with versions 3.3, 3.2*, 3.1 & 3.0* contains sensitive information disclosure vulnerability. An Authenticated admin user can able to exploit the issue and view sensitive information stored in the logs. | |||||
| CVE-2022-25787 | 1 Secomea | 8 Gatemanager 4250, Gatemanager 4250 Firmware, Gatemanager 4260 and 5 more | 2024-11-21 | 4.6 MEDIUM | 7.5 HIGH |
| Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection. This issue affects: Secomea GateManager all versions prior to 9.7. | |||||
| CVE-2022-24414 | 1 Dell | 1 Cloudlink | 2024-11-21 | 4.0 MEDIUM | 7.6 HIGH |
| Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks. | |||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 5.8 MEDIUM | 8.3 HIGH |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | |||||
| CVE-2021-36328 | 1 Dell | 1 Emc Streaming Data Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database. | |||||
| CVE-2021-21594 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 5.0 MEDIUM | 8.2 HIGH |
| Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It can lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity. | |||||
| CVE-2020-5331 | 1 Rsa | 1 Archer | 2024-11-21 | 2.1 LOW | 8.8 HIGH |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information exposure vulnerability. Users’ session information could potentially be stored in cache or log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks. | |||||