Search
Total
20 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3470 | 1 F5 | 41 Big-ip 10200v-f, Big-ip 10200v-f Firmware, Big-ip 10350v-f and 38 more | 2023-08-07 | N/A | 6.1 MEDIUM |
| Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-8632 | 3 Canonical, Debian, Opensuse | 3 Cloud-init, Debian Linux, Leap | 2022-01-01 | 2.1 LOW | 5.5 MEDIUM |
| In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. | |||||
| CVE-2020-8296 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2022-01-01 | 4.6 MEDIUM | 6.7 MEDIUM |
| Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. | |||||
| CVE-2021-41696 | 1 Globaldatingsoftware | 1 Premiumdatingscript | 2021-12-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authentication bypass (account takeover) vulnerability exists in Premiumdatingscript 4.2.7.7 due to a weak password reset mechanism in requests\user.php. | |||||
| CVE-2021-28914 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow the user to set a weak password because the strength is shown in configuration tool, but finally not enforced. This is usable and part of an attack chain to gain SSH root access. | |||||
| CVE-2021-1522 | 1 Cisco | 1 Connected Mobile Experiences | 2021-08-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the change password API of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, remote attacker to alter their own password to a value that does not comply with the strong authentication requirements that are configured on an affected device. This vulnerability exists because a password policy check is incomplete at the time a password is changed at server side using the API. An attacker could exploit this vulnerability by sending a specially crafted API request to the affected device. A successful exploit could allow the attacker to change their own password to a value that does not comply with the configured strong authentication requirements. | |||||
| CVE-2019-14833 | 3 Fedoraproject, Opensuse, Samba | 3 Fedora, Leap, Samba | 2021-05-29 | 4.9 MEDIUM | 5.4 MEDIUM |
| A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks. | |||||
| CVE-2020-27585 | 1 Quickheal | 1 Total Security | 2020-12-04 | 2.1 LOW | 4.4 MEDIUM |
| Quick Heal Total Security before 19.0 allows attackers with local admin rights to modify sensitive anti virus settings via a brute-attack on the settings password. | |||||
| CVE-2020-27587 | 1 Quickheal | 1 Total Security | 2020-12-01 | 2.1 LOW | 6.7 MEDIUM |
| Quick Heal Total Security before 19.0 allows attackers with local admin rights to obtain access to files in the File Vault via a brute-force attack on the password. | |||||
| CVE-2019-18828 | 1 Barco | 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more | 2020-08-24 | 7.2 HIGH | 6.8 MEDIUM |
| Barco ClickShare Button R9861500D01 devices before 1.9.0 have Insufficiently Protected Credentials. The root account (present for access via debug interfaces, which are by default not enabled on production devices) of the embedded Linux on the ClickShare Button is using a weak password. | |||||
| CVE-2015-8033 | 1 Textpattern | 1 Textpattern | 2020-08-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account. | |||||
| CVE-2020-7492 | 1 Schneider-electric | 1 Gp-pro Ex Firmware | 2020-06-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| A CWE-521: Weak Password Requirements vulnerability exists in the GP-Pro EX V1.00 to V4.09.100 which could cause the discovery of the password when the user is entering the password because it is not masqueraded. | |||||
| CVE-2019-19093 | 1 Abb | 1 Esoms | 2020-04-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| eSOMS versions 4.0 to 6.0.3 do not enforce password complexity settings, potentially resulting in lower access security due to insecure user passwords. | |||||
| CVE-2018-5389 | 1 Ietf | 1 Internet Key Exchange | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network. | |||||
| CVE-2017-1386 | 1 Ibm | 2 Api Connect, Api Management | 2019-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM API Connect 5.0.0.0 could allow a user to bypass policy restrictions and create non-compliant passwords which could be intercepted and decrypted using man in the middle techniques. IBM X-Force ID: 127160. | |||||
| CVE-2018-16703 | 1 Gleeztech | 1 Gleez Cms | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI. | |||||
| CVE-2017-7306 | 1 Riverbed | 1 Rios | 2019-10-03 | 1.9 LOW | 6.4 MEDIUM |
| ** DISPUTED ** Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging knowledge of the password algorithm and the appliance serial number. NOTE: the vendor believes that this does not meet the definition of a vulnerability. The product contains correct computational logic for supporting arbitrary password changes by customers; however, a password change is optional to meet different customers' needs. | |||||
| CVE-2017-7305 | 1 Riverbed | 1 Rios | 2019-10-03 | 2.1 LOW | 4.6 MEDIUM |
| ** DISPUTED ** Riverbed RiOS through 9.6.0 does not require a bootloader password, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism via a crafted boot. NOTE: the vendor believes that this does not meet the definition of a vulnerability. The product contains correct computational logic for a bootloader password; however, this password is optional to meet different customers' needs. | |||||
| CVE-2017-7150 | 1 Apple | 1 Mac Os X | 2019-10-03 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.13 Supplemental Update is affected. The issue involves the "Security" component. It allows attackers to bypass the keychain access prompt, and consequently extract passwords, via a synthetic click. | |||||
| CVE-2017-6339 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by a root CA. An attacker with low privileges can download the current CA certificate and Private Key (either the default ones or ones uploaded by administrators) and use those to decrypt HTTPS traffic, thus compromising confidentiality. Also, the default Private Key on this appliance is encrypted with a very weak passphrase. If an appliance uses the default Certificate and Private Key provided by Trend Micro, an attacker can simply download these and decrypt the Private Key using the default/weak passphrase. | |||||