Monthly
Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query strings, exposing encryption-related secrets to local attackers who can access web server logs, browser history, or other locally readable URL artifacts. The flaw (CWE-598) requires no privileges or user interaction beyond local system presence, and carries a High confidentiality impact rating because credentials or passphrases associated with volume encryption may be recoverable from logged GET requests. No public exploit exists and EPSS sits at the 1st percentile, indicating no widespread exploitation activity at time of analysis.
JWT bearer tokens leak to logs and external sites when passed via URL query parameter in Portainer's authentication middleware. Any user with container exec or attach privileges - not just administrators - exposes their authentication token through reverse-proxy access logs, browser history, and HTTP Referer headers when using Portainer's browser-based container shell features. Leaked tokens grant full user privileges for up to 8 hours (default expiration). Confirmed vendor-released patches available in versions 2.33.8, 2.39.2, and 2.41.0. No public exploit identified at time of analysis, though exploitation complexity is moderate once an attacker gains log access.
HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.
Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.
V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.
Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. CVSS 7.5 HIGH reflects unauthenticated network-accessible information disclosure with no user interaction required. No public exploit identified at time of analysis, low observed exploitation activity (EPSS 0.02%).
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability where sensitive data is exposed through HTTP GET query strings, allowing attackers with low privileges and network access to obtain confidential information via man-in-the-middle techniques. The CVSS score of 3.1 reflects low severity due to high attack complexity and limited privileges required, though the vulnerability has a patch available from IBM and represents a classic cleartext credential exposure risk in enterprise data integration platforms.
PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.
Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.
Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query strings, exposing encryption-related secrets to local attackers who can access web server logs, browser history, or other locally readable URL artifacts. The flaw (CWE-598) requires no privileges or user interaction beyond local system presence, and carries a High confidentiality impact rating because credentials or passphrases associated with volume encryption may be recoverable from logged GET requests. No public exploit exists and EPSS sits at the 1st percentile, indicating no widespread exploitation activity at time of analysis.
JWT bearer tokens leak to logs and external sites when passed via URL query parameter in Portainer's authentication middleware. Any user with container exec or attach privileges - not just administrators - exposes their authentication token through reverse-proxy access logs, browser history, and HTTP Referer headers when using Portainer's browser-based container shell features. Leaked tokens grant full user privileges for up to 8 hours (default expiration). Confirmed vendor-released patches available in versions 2.33.8, 2.39.2, and 2.41.0. No public exploit identified at time of analysis, though exploitation complexity is moderate once an attacker gains log access.
HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.
Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.
V2Board through version 1.7.4 exposes sensitive server authentication tokens via GET parameters in the UniProxy API endpoint, causing tokens to be recorded in web server access logs, browser history, HTTP Referer headers, and intermediary proxies. An attacker who obtains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic passing through that node.
Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. CVSS 7.5 HIGH reflects unauthenticated network-accessible information disclosure with no user interaction required. No public exploit identified at time of analysis, low observed exploitation activity (EPSS 0.02%).
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability where sensitive data is exposed through HTTP GET query strings, allowing attackers with low privileges and network access to obtain confidential information via man-in-the-middle techniques. The CVSS score of 3.1 reflects low severity due to high attack complexity and limited privileges required, though the vulnerability has a patch available from IBM and represents a classic cleartext credential exposure risk in enterprise data integration platforms.
PinchTab versions 0.7.8 through 0.8.3 accept API authentication tokens via URL query parameters (?token=...) in addition to the Authorization header, creating an unsafe credential transport pattern that exposes tokens through intermediary logs, browser history, shell history, and clipboard history. While this is not a direct authentication bypass-an attacker must obtain the token from a secondary source-the vulnerability is compounded by first-party dashboard setup flows that generate and consume tokenized URLs, increasing practical exposure likelihood. The issue was resolved in version 0.8.4 by removing query-string token authentication entirely and enforcing header-based authentication.
Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.