| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers. |
| Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. |
| Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data. |
| Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38. |
| ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in thom4 WP-LESS allows Retrieve Embedded Sensitive Data. This issue affects WP-LESS: from 1.9.3 through 3. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress tailpress allows Retrieve Embedded Sensitive Data.This issue affects TailPress: from n/a through <= 0.4.4. |
| An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows the attacker to read any file on the server with no effect on integrity or availability |
| An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Logo Software Industry and Trade Inc. Logo j-Platform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logo j-Platform: from 3.29.6.4 before 3.34.8.9. |
| TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Htaccess File Editor: from n/a through <= 1.0.19. |
| By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless, since the calculated default administrator password would no longer be the correct password. |
| The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app's runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry. |
| During MegaBIP installation process, a user is encouraged to change a default path to administrative portal, as keeping it secret is listed by the author as one of the protection mechanisms.
Publicly available source code of "/registered.php" discloses that path, allowing an attacker to attempt further attacks.
This issue affects MegaBIP software versions below 5.15 |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Spencer Haws Link Whisper Free link-whisper.This issue affects Link Whisper Free: from n/a through <= 0.7.7. |
| Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in StellarWP Give – Divi Donation Modules give-donation-modules-for-divi allows Retrieve Embedded Sensitive Data.This issue affects Give – Divi Donation Modules: from n/a through <= 2.0.0. |
| In some cases, Kea log files or lease files may be world-readable.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. |
| An issue was discovered in the installer in Samsung Portable SSD for T5 1.6.10 on Windows. Because it is possible to tamper with the directory and DLL files used during the installation process, an attacker can escalate privileges through arbitrary code execution. (An attacker must already have user privileges) |
| An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device’s model, firmware version, IP address, and serial number. |
