CWE-200

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is synchronised with Active Directory (AD), this vulnerability can expose the account names of all AD users. NOTE: this CVE is assigned by MITRE and isn’t validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message.

IBM Maximo Asset Management 7.6 could allow an authenticated user to enumerate usernames using a specially crafted HTTP request. IBM X-Force ID: 145966.

Monstra CMS V3.0.4 has an information leakage risk (e.g., PATH, DOCUMENT_ROOT, and SERVER_ADMIN) in libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php.

IBM Maximo Asset Management 7.6 through 7.6.3 could allow an unauthenticated attacker to obtain sensitive information from error messages. IBM X-Force ID: 145967.

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the “allowed_uids” configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.