CWE-1230
Exposure of Sensitive Information Through Metadata
The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
CVE-2023-1974 (GCVE-0-2023-1974)
Vulnerability from cvelistv5 – Published: 2023-04-11 00:00 – Updated: 2025-02-07 17:14
VLAI?
Summary
Exposure of Sensitive Information Through Metadata in GitHub repository answerdev/answer prior to 1.0.8.
Severity ?
7.7 (High)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| answerdev | answerdev/answer |
Affected:
unspecified , < 1.0.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:27.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/answerdev/answer/commit/ac3f2f047ee00b4edaea7530e570ab67ff87cd6a"
},
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/852781c6-9cc8-4d25-9336-bf3cb8ee3439"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1974",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T17:14:51.823042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T17:14:55.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "answerdev/answer",
"vendor": "answerdev",
"versions": [
{
"lessThan": "1.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information Through Metadata in GitHub repository answerdev/answer prior to 1.0.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://github.com/answerdev/answer/commit/ac3f2f047ee00b4edaea7530e570ab67ff87cd6a"
},
{
"url": "https://huntr.dev/bounties/852781c6-9cc8-4d25-9336-bf3cb8ee3439"
}
],
"source": {
"advisory": "852781c6-9cc8-4d25-9336-bf3cb8ee3439",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information Through Metadata in answerdev/answer"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1974",
"datePublished": "2023-04-11T00:00:00.000Z",
"dateReserved": "2023-04-11T00:00:00.000Z",
"dateUpdated": "2025-02-07T17:14:55.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32488 (GCVE-0-2023-32488)
Vulnerability from cvelistv5 – Published: 2023-08-16 13:32 – Updated: 2024-10-08 19:11
VLAI?
Summary
Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure.
Severity ?
5.3 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
Version 9.2.1.0 through 9.2.1.22, Version 9.4.0.0 through 9.4.0.13, Version 9.5.0.0 through 9.5.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:18:37.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T19:11:01.410898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T19:11:09.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "Version 9.2.1.0 through 9.2.1.22, Version 9.4.0.0 through 9.4.0.13, Version 9.5.0.0 through 9.5.0.3"
}
]
}
],
"datePublic": "2023-08-14T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\u003c/span\u003e\n\n"
}
],
"value": "\nDell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230: Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-16T13:32:02.419Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2023-32488",
"datePublished": "2023-08-16T13:32:02.419Z",
"dateReserved": "2023-05-09T06:11:48.748Z",
"dateUpdated": "2024-10-08T19:11:09.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50458 (GCVE-0-2023-50458)
Vulnerability from cvelistv5 – Published: 2025-07-10 00:00 – Updated: 2025-07-10 13:13
VLAI?
Summary
In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs.
Severity ?
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dradisframework | Dradis |
Affected:
0 , < 4.11.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50458",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T13:13:36.860229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T13:13:48.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dradis",
"vendor": "dradisframework",
"versions": [
{
"lessThan": "4.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dradisframework:dradis:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users\u0027 jobs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T03:24:48.095Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/dradis/dradis-ce/tags"
},
{
"url": "https://securiteam.io/2025/07/03/cve-2023-50458-dradis-information-disclosure-output-console/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-50458",
"datePublished": "2025-07-10T00:00:00.000Z",
"dateReserved": "2023-12-10T00:00:00.000Z",
"dateUpdated": "2025-07-10T13:13:48.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10324 (GCVE-0-2024-10324)
Vulnerability from cvelistv5 – Published: 2025-01-24 13:40 – Updated: 2025-01-27 14:54
VLAI?
Summary
The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-rometheme.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rometheme | RomethemeKit For Elementor |
Affected:
* , ≤ 1.5.2
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T14:07:40.893895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T14:54:48.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RomethemeKit For Elementor",
"vendor": "rometheme",
"versions": [
{
"lessThanOrEqual": "1.5.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-rometheme.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T13:40:58.082Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd726b20-75c9-408e-86fc-061db591a9db?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3220079/rometheme-for-elementor"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-31T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "RomethemeKit For Elementor \u003c= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10324",
"datePublished": "2025-01-24T13:40:58.082Z",
"dateReserved": "2024-10-23T22:46:15.248Z",
"dateUpdated": "2025-01-27T14:54:48.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47517 (GCVE-0-2024-47517)
Vulnerability from cvelistv5 – Published: 2025-01-10 21:47 – Updated: 2025-01-13 20:13
VLAI?
Summary
Expired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access
Severity ?
6.8 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | Arista Edge Threat Management |
Affected:
17.1.0 , ≤ 17.1.1
(custom)
|
Credits
Mehmet INCE from PRODAFT.com
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:13:17.296191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:13:25.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Arista Edge Threat Management",
"vendor": "Arista Networks",
"versions": [
{
"lessThanOrEqual": "17.1.1",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003col\u003e\u003cli\u003eLog into Edge Threat Management (ETM).\u003c/li\u003e\u003cli\u003eGo to Appliances, and click your target NGFW.\u003c/li\u003e\u003cli\u003eOn the NGFW appliance page, click Remote Access.\u003cp\u003e\u003cimg alt=\"Security Advisory 105\" src=\"https://www.arista.com/assets/images/article/SA105-6.png\"\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003eWith the NGFW UI in a new tab or window, let the connection expire. \u0026nbsp;\u003c/li\u003e\u003cli\u003eAfter the session has expired, any attempt to perform actions will notify you of the need to enable Remote Access again.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e"
}
],
"value": "* Log into Edge Threat Management (ETM).\n * Go to Appliances, and click your target NGFW.\n * On the NGFW appliance page, click Remote Access.\n\n\n * With the NGFW UI in a new tab or window, let the connection expire. \u00a0\n * After the session has expired, any attempt to perform actions will notify you of the need to enable Remote Access again."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet INCE from PRODAFT.com"
}
],
"datePublic": "2024-10-29T20:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eExpired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Expired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access"
}
],
"impacts": [
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T21:47:30.950Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe recommended resolution for all issues documented above is to upgrade to the version indicated below at your earliest convenience.\u003c/div\u003e\u003cul\u003e\u003cli\u003e17.2 Upgrade\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "The recommended resolution for all issues documented above is to upgrade to the version indicated below at your earliest convenience.\n\n * 17.2 Upgrade"
}
],
"source": {
"advisory": "105",
"defect": [
"NGFW-14754"
],
"discovery": "EXTERNAL"
},
"title": "Expired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAfter you have completed NGFW operations with Remote Access, close the browser window or tab.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "After you have completed NGFW operations with Remote Access, close the browser window or tab."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-47517",
"datePublished": "2025-01-10T21:47:30.950Z",
"dateReserved": "2024-09-25T20:29:43.984Z",
"dateUpdated": "2025-01-13T20:13:25.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49395 (GCVE-0-2024-49395)
Vulnerability from cvelistv5 – Published: 2024-11-12 02:08 – Updated: 2025-11-21 06:57
VLAI?
Summary
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.
Severity ?
5.3 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:24:06.690435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:24:21.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitlab.com/muttmua/mutt",
"defaultStatus": "affected",
"packageName": "mutt"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "mutt",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "mutt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "mutt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "mutt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2024-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T06:57:29.487Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-49395"
},
{
"name": "RHBZ#2325332",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325332"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-11T21:24:01.125000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-11-11T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Mutt: neomutt: bcc email header field is indirectly leaked by cryptographic info block",
"x_redhatCweChain": "CWE-1230: Exposure of Sensitive Information Through Metadata"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-49395",
"datePublished": "2024-11-12T02:08:03.548Z",
"dateReserved": "2024-10-14T17:56:03.767Z",
"dateUpdated": "2025-11-21T06:57:29.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53291 (GCVE-0-2024-53291)
Vulnerability from cvelistv5 – Published: 2024-12-25 15:02 – Updated: 2024-12-27 14:57
VLAI?
Summary
Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
Severity ?
7.5 (High)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dell | NativeEdge |
Affected:
N/A , < 2.1.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-27T14:56:49.387865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-27T14:57:35.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NativeEdge",
"vendor": "Dell",
"versions": [
{
"lessThan": "2.1.0.0",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-12-19T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure."
}
],
"value": "Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Exposure of Sensitive Information Through Metadata vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230: Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T15:02:42.544Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000258904/dsa-2024-488-security-update-for-dell-nativeedge-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2024-53291",
"datePublished": "2024-12-25T15:02:42.544Z",
"dateReserved": "2024-11-20T06:05:04.566Z",
"dateUpdated": "2024-12-27T14:57:35.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8910 (GCVE-0-2024-8910)
Vulnerability from cvelistv5 – Published: 2024-09-25 06:48 – Updated: 2024-09-25 13:26
VLAI?
Summary
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
Severity ?
4.3 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devitemsllc | HT Mega – Absolute Addons For Elementor |
Affected:
* , ≤ 2.6.5
(semver)
|
Credits
Ankit Patel
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:10:43.141102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:26:21.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HT Mega \u2013 Absolute Addons For Elementor",
"vendor": "devitemsllc",
"versions": [
{
"lessThanOrEqual": "2.6.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ankit Patel"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T06:48:59.659Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09fb88e4-4846-40d3-8a79-a6a867bfb59f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3156058/ht-mega-for-elementor"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-17T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-09-24T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "HT Mega \u2013 Absolute Addons For Elementor \u003c= 2.6.5 - Authenticated (Contributor+) Sensitive Information Exposure via template_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8910",
"datePublished": "2024-09-25T06:48:59.659Z",
"dateReserved": "2024-09-16T20:19:07.057Z",
"dateUpdated": "2024-09-25T13:26:21.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9099 (GCVE-0-2024-9099)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-03-20 18:18
VLAI?
Summary
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.
Severity ?
8.8 (High)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lunary-ai | lunary-ai/lunary |
Affected:
unspecified , < 1.5.7
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9099",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:49:40.677830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:18:54.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lunary-ai/lunary",
"vendor": "lunary-ai",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:37.881Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/ffb84fe8-3e60-4200-ac2d-1fd1e1c93e91"
},
{
"url": "https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc"
}
],
"source": {
"advisory": "ffb84fe8-3e60-4200-ac2d-1fd1e1c93e91",
"discovery": "EXTERNAL"
},
"title": "Exposure of Private API Keys in lunary-ai/lunary"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-9099",
"datePublished": "2025-03-20T10:10:37.881Z",
"dateReserved": "2024-09-23T10:38:02.895Z",
"dateUpdated": "2025-03-20T18:18:54.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9447 (GCVE-0-2024-9447)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-03-20 18:30
VLAI?
Summary
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss.
Severity ?
6.5 (Medium)
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| transformeroptimus | transformeroptimus/superagi |
Affected:
unspecified , ≤ latest
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9447",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:49:25.542148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:30:29.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "transformeroptimus/superagi",
"vendor": "transformeroptimus",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user\u0027s organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230 Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:10.551Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/c952ea32-3047-42d3-8a3e-e67899e35dfd"
}
],
"source": {
"advisory": "c952ea32-3047-42d3-8a3e-e67899e35dfd",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information in transformeroptimus/superagi"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-9447",
"datePublished": "2025-03-20T10:10:10.551Z",
"dateReserved": "2024-10-02T20:27:56.889Z",
"dateUpdated": "2025-03-20T18:30:29.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.