CVE-2021-22143 – Elastic APM .NET Agent information disclosure
https://notcve.org/view.php?id=CVE-2021-22143
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent. Elastic APM .NET Agent puede filtrar información confidencial del encabezado HTTP al registrar los detalles durante un error de la aplicación. Normalmente, el agente de APM sanitizará los detalles confidenciales del encabezado HTTP antes de enviar la información al servidor de APM. • https://discuss.elastic.co/t/elastic-apm-net-agent-1-10-0-security-update/274668 https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-6248 – Data leakage and arbitrary remote code execution in Syrus cloud devices
https://notcve.org/view.php?id=CVE-2023-6248
The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts ) La puerta de enlace Syrus4 IoT utiliza un servidor MQTT no seguro para descargar y ejecutar comandos arbitrarios, lo que permite a un atacante remoto no autenticado ejecutar código en cualquier dispositivo Syrus4 conectado al servicio en la nube. • https://www.digitalcomtech.com/product/syrus-4g-iot-telematics-gateway • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2023-2448 – UserPro <= 5.1.4 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
https://notcve.org/view.php?id=CVE-2023-2448
The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. ... WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. • http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe9175-4a6f-4eb6-8d31-9a9fda9b4f40?source=cve • CWE-862: Missing Authorization •
CVE-2023-49103 – ownCloud graphapi Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-49103
In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. ... Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information. ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials. • https://github.com/creacitysec/CVE-2023-49103 https://github.com/merlin-ke/OwnCloud-CVE-2023-49103 https://github.com/MixColumns/CVE-2023-49103 https://github.com/d0rb/CVE-2023-49103 https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments https://owncloud.org/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-2449 – UserPro <= 5.1.1 - Insecure Password Reset Mechanism
https://notcve.org/view.php?id=CVE-2023-2449
WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. • http://packetstormsecurity.com/files/175871/WordPress-UserPro-5.1.x-Password-Reset-Authentication-Bypass-Escalation.html https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 https://www.wordfence.com/threat-intel/vulnerabilities/id/de9be7bc-4f8a-4393-8ebb-1b1f141b7585?source=cve • CWE-620: Unverified Password Change •