CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45787 – Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-45787
This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0291 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40656
https://notcve.org/view.php?id=CVE-2024-40656
This could lead to local information disclosure with no additional execution privileges needed. • https://android.googlesource.com/platform/packages/services/Telecomm/+/f3e6a6c02439401eb7aeb3749ee5ec0b51a625b9 https://source.android.com/security/bulletin/2024-09-01 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7315 – Migration, Backup, Staging – WPvivid < 0.9.106 - Unauthenticated Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2024-7315
The Migration, Backup, Staging WordPress plugin before 0.9.106 does not use sufficient randomness in the filename that is created when generating a backup, which could be bruteforced by attackers to leak sensitive information about said backups. The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.9.105. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data by brute-forcing backup file names. • https://wpscan.com/vulnerability/456b728b-a451-4afb-895f-850ddc4fb589 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-37397 – Ivanti Endpoint Manager ImportXml XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-37397
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of ImportXml method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-43475 – Microsoft Windows Admin Center Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-43475
Microsoft Windows Admin Center Information Disclosure Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43475 • CWE-126: Buffer Over-read •