CVE-2024-4447
https://notcve.org/view.php?id=CVE-2024-4447
While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack this privilege would still be able to utilize the session IDs to imitate other users. While this is a very small attack vector that requires very high permissions to execute, its danger lies principally in obfuscating attribution; all Sign In As operations are attributed appropriately in the log files, and a malicious administrator could use this information to render their dealings untraceable — including those admins who have not been granted this ability — such as by using a session ID to generate an API token. Fixed in: 24.07.12 / 23.01.20 LTS / 23.10.24v13 LTS / 24.04.24v5 LTS • https://auth.dotcms.com/security/SI-72 https://www.dotcms.com/security/SI-72 • CWE-863: Incorrect Authorization •
CVE-2024-38103 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-38103
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38103 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2022-32759 – IBM Security Directory Server information disclosure
https://notcve.org/view.php?id=CVE-2022-32759
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. • https://exchange.xforce.ibmcloud.com/vulnerabilities/228565 https://www.ibm.com/support/pages/node/7161446 • CWE-613: Insufficient Session Expiration •
CVE-2024-7057 – Improper Access Control in GitLab
https://notcve.org/view.php?id=CVE-2024-7057
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. • https://gitlab.com/gitlab-org/gitlab/-/issues/458501 https://hackerone.com/reports/2475135 • CWE-284: Improper Access Control •
CVE-2024-7060 – Exposure of Sensitive Information to an Unauthorized Actor in GitLab
https://notcve.org/view.php?id=CVE-2024-7060
An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export. • https://gitlab.com/gitlab-org/gitlab/-/issues/437894 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •