CVE-2023-49162 – WordPress BigCommerce Plugin <= 5.0.6 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-49162
This makes it possible for unauthenticated attackers to extract sensitive data. • https://patchstack.com/database/vulnerability/bigcommerce/wordpress-bigcommerce-for-wordpress-plugin-5-0-6-sensitive-data-exposure-via-log-file-vulnerability? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-6287 – Backup password in GET parameter
https://notcve.org/view.php?id=CVE-2023-6287
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. • https://checkmk.com/werk/9554 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVE-2023-6226 – WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure
https://notcve.org/view.php?id=CVE-2023-6226
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin. El complemento WP Shortcodes: el complemento Shortcodes Ultimate para WordPress es vulnerable a la referencia directa de objetos inseguros en todas las versiones hasta la 5.13.3 incluida a través del código corto su_meta debido a la falta de validación en las claves controladas por el usuario 'key' y 'post_id'. Esto hace posible que atacantes autenticados, con acceso de nivel de colaboradores y superiores, recuperen metavalores de publicaciones arbitrarias que pueden contener información confidencial cuando se combinan con otro complemento. • https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/includes/shortcodes/meta.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3000576%40shortcodes-ultimate&new=3000576%40shortcodes-ultimate&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2023-48796 – Apache dolphinscheduler sensitive information disclosure
https://notcve.org/view.php?id=CVE-2023-48796
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. • http://www.openwall.com/lists/oss-security/2023/11/24/1 https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-44303
https://notcve.org/view.php?id=CVE-2023-44303
RVTools, Version 3.9.2 and above, contain a sensitive data exposure vulnerability in the password encryption utility (RVToolsPasswordEncryption.exe) and main application (RVTools.exe). • https://www.dell.com/support/kbdoc/en-us/000219712/dsa-2023-426-security-update-for-rvtools-vulnerabilities • CWE-310: Cryptographic Issues CWE-522: Insufficiently Protected Credentials •