Filtered by CWE-200
Total 10716 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2015-5400 3 Debian, Fedoraproject, Squid-cache 3 Debian Linux, Fedora, Squid 2025-04-12 N/A
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
CVE-2013-6472 1 Mediawiki 1 Mediawiki 2025-04-12 N/A
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
CVE-2016-7210 1 Microsoft 8 Windows 10, Windows 7, Windows 8.1 and 5 more 2025-04-12 N/A
atmfd.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted Open Type font on a web site, aka "Open Type Font Information Disclosure Vulnerability."
CVE-2016-5739 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2025-04-12 N/A
The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php.
CVE-2016-3717 3 Canonical, Imagemagick, Redhat 11 Ubuntu Linux, Imagemagick, Enterprise Linux and 8 more 2025-04-12 N/A
The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.
CVE-2016-9017 1 Artifex 1 Mujs 2025-04-12 N/A
Artifex Software, Inc. MuJS before a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 allows context-dependent attackers to obtain sensitive information by using the "opname in crafted JavaScript file" approach, related to an "Out-of-Bounds read" issue affecting the jsC_dumpfunction function in the jsdump.c component.
CVE-2016-0864 1 Tollgrade 1 Smartgrid Lighthouse Sensor Management System 2025-04-12 N/A
Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software EMS before 5.1, and 4.1.0 Build 16, allows remote attackers to obtain sensitive report and username information via unspecified vectors.
CVE-2016-0783 1 Apache 1 Openmeetings 2025-04-12 N/A
The sendHashByUser function in Apache OpenMeetings before 3.1.1 generates predictable password reset tokens, which makes it easier for remote attackers to reset arbitrary user passwords by leveraging knowledge of a user name and the current system time.
CVE-2016-1687 5 Debian, Google, Opensuse and 2 more 9 Debian Linux, Chrome, Leap and 6 more 2025-04-12 N/A
The renderer implementation in Google Chrome before 51.0.2704.63 does not properly restrict public exposure of classes, which allows remote attackers to obtain sensitive information via vectors related to extensions.
CVE-2015-1840 3 Fedoraproject, Opensuse, Rubyonrails 4 Fedora, Opensuse, Jquery-rails and 1 more 2025-04-12 N/A
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
CVE-2015-6661 1 Drupal 1 Drupal 2025-04-12 N/A
Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.
CVE-2014-3575 3 Apache, Libreoffice, Redhat 6 Openoffice, Libreoffice, Enterprise Linux and 3 more 2025-04-12 N/A
The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.
CVE-2011-2513 1 Redhat 3 Enterprise Linux, Icedtea-web, Icedtea6 2025-04-12 N/A
The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader.
CVE-2015-8473 2 Debian, Redmine 2 Debian Linux, Redmine 2025-04-12 N/A
The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects.
CVE-2014-8775 1 Modx 1 Modx Revolution 2025-04-12 N/A
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-5730 1 Wordpress 1 Wordpress 2025-04-12 N/A
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.
CVE-2015-7502 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2025-04-12 N/A
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files.
CVE-2014-9759 1 Mantisbt 1 Mantisbt 2025-04-12 N/A
Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request.
CVE-2016-2151 1 Moodle 1 Moodle 2025-04-12 N/A
user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.
CVE-2015-3153 5 Apple, Canonical, Debian and 2 more 6 Mac Os X, Ubuntu Linux, Debian Linux and 3 more 2025-04-12 N/A
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.