CVE-2022-36777 – IBM Cloud Pak for Security information disclosure
https://notcve.org/view.php?id=CVE-2022-36777
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.16.0could allow an authenticated user to obtain sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 233665. IBM Cloud Pak for Security (CP4S) 1.10.0.0 a 1.10.11.0 e IBM QRadar Suite Software 1.10.12.0 a 1.10.16.0 podrían permitir a un usuario autenticado obtener información confidencial de la versión que podría ayudar en futuros ataques contra el sistema. ID de IBM X-Force: 233665. • https://exchange.xforce.ibmcloud.com/vulnerabilities/233665 https://www.ibm.com/support/pages/node/7080058 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-5983 – Information Disclosure in Botanik Software Pharmacy Automation
https://notcve.org/view.php?id=CVE-2023-5983
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data.This issue affects Pharmacy Automation: before 2.1.133.0. La exposición de información confidencial a una vulnerabilidad de actor no autorizado en Botanik Software Pharmacy Automation permite recuperar datos confidenciales incrustados. Este problema afecta a Pharmacy Automation: antes de 2.1.133.0. Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data.This issue affects Pharmacy Automation: before 2.1.133.0. • https://www.usom.gov.tr/bildirim/tr-23-0652 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2021-22143 – Elastic APM .NET Agent information disclosure
https://notcve.org/view.php?id=CVE-2021-22143
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. • https://discuss.elastic.co/t/elastic-apm-net-agent-1-10-0-security-update/274668 https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-6248 – Data leakage and arbitrary remote code execution in Syrus cloud devices
https://notcve.org/view.php?id=CVE-2023-6248
The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts ) La puerta de enlace Syrus4 IoT utiliza un servidor MQTT no seguro para descargar y ejecutar comandos arbitrarios, lo que permite a un atacante remoto no autenticado ejecutar código en cualquier dispositivo Syrus4 conectado al servicio en la nube. El servidor MQTT también filtra la ubicación, el video y los datos de diagnóstico de cada dispositivo conectado. Un atacante que conoce la dirección IP del servidor puede conectarse y realizar las siguientes operaciones: * Obtener datos de ubicación del vehículo al que está conectado el dispositivo * Enviar mensajes del bus CAN a través del módulo ECU (https://syrus.digitalcomtech. com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Inmovilice el vehículo mediante el módulo inmovilizador seguro ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization) * Obtenga video en vivo a través de la cámara de video conectada * Envíe mensajes de audio al conductor (https://syrus.digitalcomtech.com/ docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts) • https://www.digitalcomtech.com/product/syrus-4g-iot-telematics-gateway • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2023-2448 – UserPro <= 5.1.4 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
https://notcve.org/view.php?id=CVE-2023-2448
WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. • http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe9175-4a6f-4eb6-8d31-9a9fda9b4f40?source=cve • CWE-862: Missing Authorization •