Search
Total
328 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1020009 | 1 Kolide | 1 Fleet | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Fleet before 2.1.2 allows exposure of SMTP credentials. | |||||
| CVE-2019-10239 | 1 Robotronic | 1 Runasspc | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account. | |||||
| CVE-2019-10630 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 allows an elevated privileged user to get the admin password of the device. | |||||
| CVE-2019-11369 | 1 Carel | 2 Pcoweb Card, Pcoweb Card Firmware | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device. | |||||
| CVE-2019-12847 | 1 Jetbrains | 1 Hub | 2020-08-24 | 4.0 MEDIUM | 7.2 HIGH |
| In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period. | |||||
| CVE-2019-13179 | 1 Calamares | 1 Calamares | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption. | |||||
| CVE-2019-13348 | 1 Eng | 1 Knowage | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases. | |||||
| CVE-2019-4239 | 2 Ibm, Redhat | 2 Cloud Private, Openshift | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| IBM MQ Advanced Cloud Pak (IBM Cloud Private 1.0.0 through 3.0.1) stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 159465. | |||||
| CVE-2019-6242 | 1 Kentico | 1 Kentico | 2020-08-24 | 4.0 MEDIUM | 7.2 HIGH |
| ** DISPUTED ** Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time. | |||||
| CVE-2019-7300 | 1 Articatech | 1 Artica Proxy | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| Artica Proxy 3.06.200056 allows remote attackers to execute arbitrary commands as root by reading the ressources/settings.inc ldap_admin and ldap_password fields, using these credentials at logon.php, and then entering the commands in the admin.index.php command-line field. | |||||
| CVE-2019-8932 | 1 Rdbrck | 1 Shift | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application. | |||||
| CVE-2019-9867 | 1 Veritas | 1 Netbackup Appliance | 2020-08-24 | 4.0 MEDIUM | 7.2 HIGH |
| An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator. | |||||
| CVE-2019-9868 | 1 Veritas | 1 Netbackup Appliance | 2020-08-24 | 4.0 MEDIUM | 7.2 HIGH |
| An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The SMTP password is displayed to an administrator. | |||||
| CVE-2019-9872 | 1 Jetbrains | 1 Intellij Idea | 2020-08-24 | 4.3 MEDIUM | 8.1 HIGH |
| In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8. | |||||
| CVE-2020-8210 | 1 Citrix | 1 Xenmobile Server | 2020-08-20 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficient protection of secrets in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 discloses credentials of a service account. | |||||
| CVE-2020-9404 | 1 Pactware | 1 Pactware | 2020-08-18 | 3.6 LOW | 7.1 HIGH |
| In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in an insecure manner, and may be modified by an attacker with no knowledge of the current passwords. | |||||
| CVE-2020-10609 | 1 Grundfos | 1 Cim 500 | 2020-07-30 | 5.0 MEDIUM | 7.5 HIGH |
| Grundfos CIM 500 v06.16.00 stores plaintext credentials, which may allow sensitive information to be read or allow modification to system settings by someone with access to the device. | |||||
| CVE-2020-14489 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2020-07-30 | 5.0 MEDIUM | 7.5 HIGH |
| OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques. | |||||
| CVE-2020-4372 | 1 Ibm | 1 Verify Gateway | 2020-07-24 | 2.1 LOW | 7.8 HIGH |
| IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 179009 | |||||
| CVE-2020-3180 | 1 Cisco | 13 Isr1100, Isr1100-4g, Isr1100-4gltegb and 10 more | 2020-07-23 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, local attacker to access an affected device by using an account that has a default, static password. This account has root privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to an affected system by using this account. A successful exploit could allow the attacker to log in by using this account with root privileges. | |||||
| CVE-2020-0540 | 1 Intel | 1 Active Management Technology Firmware | 2020-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficiently protected credentials in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2018-21248 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials. | |||||
| CVE-2020-11681 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2020-06-10 | 4.0 MEDIUM | 8.1 HIGH |
| Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials. | |||||
| CVE-2014-9702 | 1 2pisoftware | 1 Cmfive | 2020-06-04 | 5.0 MEDIUM | 7.5 HIGH |
| system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request. | |||||
| CVE-2015-7546 | 2 Openstack, Oracle | 3 Keystone, Keystonemiddleware, Solaris | 2020-06-02 | 6.0 MEDIUM | 7.5 HIGH |
| The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. | |||||
| CVE-2014-8938 | 1 Piwigo | 1 Lexiglot | 2020-06-02 | 2.1 LOW | 7.8 HIGH |
| Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line. | |||||
| CVE-2020-11008 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2020-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability. | |||||
| CVE-2017-3214 | 1 Milwaukeetool | 1 One-key | 2020-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. | |||||
| CVE-2018-13822 | 1 Broadcom | 1 Project Portfolio Management | 2020-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| Unprotected storage of credentials in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows attackers to access sensitive information. | |||||
| CVE-2020-9523 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2020-04-28 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server, affecting all version prior to 4.0 Patch Update 16, and version 5.0 Patch Update 6. The vulnerability could allow an attacker to transmit hashed credentials for the user account running the Micro Focus Directory Server (MFDS) to an arbitrary site, compromising that account's security. | |||||
| CVE-2017-18777 | 1 Netgear | 36 D6220, D6220 Firmware, D6400 and 33 more | 2020-04-24 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by administrative password disclosure. This affects D6220 before V1.0.0.28, D6400 before V1.0.0.60, D8500 before V1.0.3.29, DGN2200v4 before 1.0.0.82, DGN2200Bv4 before 1.0.0.82, R6300v2 before 1.0.4.8, R6400 before 1.0.1.20, R6700 before 1.0.1.20, R6900 before 1.0.1.20, R7000 before 1.0.7.10, R7100LG before V1.0.0.32, R7300DST before 1.0.0.52, R7900 before 1.0.1.16, R8000 before 1.0.3.36, R8300 before 1.0.2.94, R8500 before 1.0.2.94, WNDR3400v3 before 1.0.1.12, and WNR3500Lv2 before 1.2.0.40. | |||||
| CVE-2017-18843 | 1 Netgear | 6 D7000, D7000 Firmware, R6700 and 3 more | 2020-04-23 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50. | |||||
| CVE-2017-18844 | 1 Netgear | 6 D7000, D7000 Firmware, R6700 and 3 more | 2020-04-23 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50. | |||||
| CVE-2017-18845 | 1 Netgear | 4 R6700, R6700 Firmware, R6800 and 1 more | 2020-04-22 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38 and R6800 before 1.1.0.38. | |||||
| CVE-2020-11555 | 1 Castlerock | 1 Snmpc Online | 2020-04-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive credential information from backup files. | |||||
| CVE-2020-11560 | 1 Nchsoftware | 1 Express Invoice | 2020-04-08 | 2.1 LOW | 7.8 HIGH |
| NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. | |||||
| CVE-2016-11029 | 1 Google | 1 Android | 2020-04-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.0) software. Attackers can read the password of the Mobile Hotspot in the log because of an unprotected intent. The Samsung ID is SVE-2016-7301 (December 2016). | |||||
| CVE-2019-3942 | 1 Advantech | 1 Webaccess | 2020-04-02 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. | |||||
| CVE-2020-11449 | 1 Technicolor | 2 Tc7337, Tc7337 Firmware | 2020-04-02 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. | |||||
| CVE-2020-2165 | 1 Jfrog | 1 Artifactory | 2020-03-27 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2014-6039 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2020-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000. | |||||
| CVE-2019-18785 | 1 Suitecrm | 1 Suitecrm | 2020-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. | |||||
| CVE-2020-9324 | 1 Aquaforest | 1 Tiff Server | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC. | |||||
| CVE-2019-10705 | 1 Westerndigital | 40 Sandisk X600 Sd9sb8w-128g, Sandisk X600 Sd9sb8w-128g Firmware, Sandisk X600 Sd9sb8w-1t00 and 37 more | 2020-03-13 | 4.3 MEDIUM | 7.5 HIGH |
| Western Digital SanDisk X600 devices in certain configurations, a vulnerability in the access control mechanism of the drive may allow data to be decrypted without knowledge of proper authentication credentials. | |||||
| CVE-2017-7510 | 1 Redhat | 1 Ovirt-engine | 2020-02-18 | 4.0 MEDIUM | 8.8 HIGH |
| In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. | |||||
| CVE-2020-2114 | 1 Jenkins | 1 S3 Publisher | 2020-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-19823 | 11 Ciktel, Coship, Fg-products and 8 more | 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more | 2020-02-06 | 5.0 MEDIUM | 7.5 HIGH |
| A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. | |||||
| CVE-2013-2672 | 1 Brother | 2 Mfc-9970cdw, Mfc-9970cdw Firmware | 2020-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords. | |||||
| CVE-2020-7909 | 1 Jetbrains | 1 Teamcity | 2020-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI. | |||||
| CVE-2014-2581 | 2 Fedoraproject, Smb4k Project | 2 Fedora, Smb4k | 2020-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the "Additional options" line edit. | |||||