Filtered by CWE-200
Total 9490 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-53624 2025-07-09 10 Critical
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
CVE-2025-34031 1 Geoffrowland 1 Jmol 2025-07-09 7.5 High
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials.
CVE-2025-4798 1 Wp-downloadmanager Project 1 Wp-downloadmanager 2025-07-09 4.9 Medium
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
CVE-2025-34084 2025-07-09 N/A
An unauthenticated information disclosure vulnerability exists in the WordPress Total Upkeep plugin (also known as BoldGrid Backup) prior to version 1.14.10. The plugin exposes multiple endpoints that allow unauthenticated users to retrieve detailed server configuration (env-info.php) and discover backup metadata (restore-info.json). These backups, which may include full SQL database dumps, are accessible without authentication if their paths are known or guessed. The restore-info.json endpoint discloses the absolute filesystem path of the latest backup, which attackers can convert into a web-accessible URL under wp-content/uploads/ and download. Extracting the database archive may yield credential hashes from the wp_users table, facilitating offline password cracking or credential stuffing attacks.
CVE-2025-47969 1 Microsoft 4 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 1 more 2025-07-09 4.4 Medium
Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally.
CVE-2025-26667 1 Microsoft 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more 2025-07-09 6.5 Medium
Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2019-5418 5 Debian, Fedoraproject, Opensuse and 2 more 8 Debian Linux, Fedora, Leap and 5 more 2025-07-09 7.5 High
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
CVE-2024-6448 1 Mollie 1 Mollie Payments For Woocommerce 2025-07-09 5.3 Medium
The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
CVE-2025-47980 2025-07-09 6.2 Medium
Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally.
CVE-2023-36908 1 Microsoft 12 Windows 10, Windows 10 1607, Windows 10 1809 and 9 more 2025-07-09 6.5 Medium
Windows Hyper-V Information Disclosure Vulnerability
CVE-2025-49741 1 Microsoft 1 Edge Chromium 2025-07-08 7.4 High
No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2025-49664 2025-07-08 5.5 Medium
Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally.
CVE-2025-48808 2025-07-08 5.5 Medium
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2025-49671 2025-07-08 6.5 Medium
Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
CVE-2025-53512 2025-07-08 6.5 Medium
The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information.
CVE-2024-37325 1 Microsoft 1 Azure Data Science Virtual Machine 2025-07-08 8.1 High
Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability
CVE-2024-35263 1 Microsoft 1 Dynamics 365 2025-07-08 5.7 Medium
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2024-30096 1 Microsoft 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more 2025-07-08 5.5 Medium
Windows Cryptographic Services Information Disclosure Vulnerability
CVE-2025-4536 1 Gosuncntech 1 Group Audio-visual Integrated Management 2025-07-08 5.3 Medium
A vulnerability has been found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysmgr/user/listByPage. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-4535 1 Gosuncntech 1 Group Audio-visual Integrated Management 2025-07-08 5.3 Medium
A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the component Configuration File Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.