Search
Total
738 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8375 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 1.9 LOW | 4.9 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. | |||||
| CVE-2016-9355 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 2.1 LOW | 5.3 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. | |||||
| CVE-2016-10103 | 1 Hiteksoftware | 1 Automize | 2017-03-16 | 4.3 MEDIUM | 8.1 HIGH |
| Information Disclosure can occur in encryptionProfiles.jsd in Hitek Software's Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for GPG Encryption profiles. Verified in all 10.x versions up to and including 10.25, and all 11.x versions up to and including 11.14. | |||||
| CVE-2016-10101 | 1 Hiteksoftware | 1 Automize | 2017-03-15 | 4.3 MEDIUM | 8.1 HIGH |
| Information Disclosure can occur in Hitek Software's Automize 10.x and 11.x passManager.jsd. Users have the Read attribute, which allows an attacker to recover the encrypted password to access the Password Manager. | |||||
| CVE-2016-8566 | 1 Siemens | 1 Sicam Pas | 2017-02-28 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in Siemens SICAM PAS before 8.00. Because of Storing Passwords in a Recoverable Format, an authenticated local attacker with certain privileges could possibly reconstruct the passwords of users for accessing the database. | |||||
| CVE-2016-4670 | 1 Apple | 2 Iphone Os, Mac Os X | 2017-02-21 | 2.1 LOW | 3.3 LOW |
| An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "Security" component. It allows local users to discover lengths of arbitrary passwords by reading a log. | |||||
| CVE-2016-9348 | 1 Moxa | 51 Nport 5100 Series Firmware, Nport 5100a Series Firmware, Nport 5110 and 48 more | 2017-02-17 | 2.1 LOW | 3.3 LOW |
| An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. A configuration file contains parameters that represent passwords in plaintext. | |||||
| CVE-2016-8378 | 1 Lynxspring | 1 Jenesys Bas Bridge | 2017-02-17 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application's database lacks sufficient safeguards for protecting credentials. | |||||
| CVE-2016-5950 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-02-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Kenexa LCMS Premier on Cloud stores user credentials in plain in clear text which can be read by an authenticated user. | |||||
| CVE-2016-8918 | 1 Ibm | 1 Integration Bus | 2017-02-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Integration Bus, under non default configurations, could allow a remote user to authenticate without providing valid credentials. | |||||
| CVE-2016-8967 | 5 Hp, Ibm, Linux and 2 more | 7 Hp-ux, Aix, Bigfix Inventory and 4 more | 2017-02-09 | 2.1 LOW | 5.5 MEDIUM |
| IBM BigFix Inventory v9 9.2 stores user credentials in plain in clear text which can be read by a local user. | |||||
| CVE-2016-3130 | 1 Blackberry | 1 Enterprise Service | 2017-02-03 | 4.3 MEDIUM | 8.1 HIGH |
| An information disclosure vulnerability in the Core and Management Console in BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to obtain local or domain credentials of an administrator or user account by sniffing traffic between the two elements during a login attempt. | |||||
| CVE-2016-9081 | 1 Joomla | 1 Joomla\! | 2017-01-26 | 7.5 HIGH | 9.8 CRITICAL |
| Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors. | |||||
| CVE-2014-3489 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2017-01-07 | 4.3 MEDIUM | N/A |
| lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. | |||||
| CVE-2013-4496 | 1 Samba | 1 Samba | 2017-01-07 | 5.0 MEDIUM | N/A |
| Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. | |||||
| CVE-2014-2198 | 1 Cisco | 2 Unified Cdm Platform Software, Unified Communications Domain Manager | 2017-01-07 | 10.0 HIGH | N/A |
| Cisco Unified Communications Domain Manager (CDM) in Unified CDM Platform Software before 4.4.2 has a hardcoded SSH private key, which makes it easier for remote attackers to obtain access to the support and root accounts by extracting this key from a binary file found in a different installation of the product, aka Bug ID CSCud41130. | |||||
| CVE-2015-6316 | 1 Cisco | 1 Mobility Services Engine | 2017-01-06 | 6.5 MEDIUM | N/A |
| The default configuration of sshd_config in Cisco Mobility Services Engine (MSE) through 8.0.120.7 allows logins by the oracle account, which makes it easier for remote attackers to obtain access by entering this account's hardcoded password in an SSH session, aka Bug ID CSCuv40501. | |||||
| CVE-2015-4319 | 1 Cisco | 1 Telepresence Video Communication Server Software | 2017-01-04 | 5.5 MEDIUM | N/A |
| The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338. | |||||
| CVE-2016-9204 | 1 Cisco | 2 Nexus 1000v, Nexus 1000v Intercloud Firmware | 2017-01-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the Cisco Intercloud Fabric (ICF) Director could allow an unauthenticated, remote attacker to connect to internal services with an internal account. Affected Products: Cisco Nexus 1000V InterCloud is affected. More Information: CSCus99379. Known Affected Releases: 2.2(1). | |||||
| CVE-2016-7456 | 1 Vmware | 1 Vsphere Data Protection | 2017-01-03 | 10.0 HIGH | 9.8 CRITICAL |
| VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session. | |||||
| CVE-2014-7823 | 1 Redhat | 1 Libvirt | 2017-01-03 | 5.0 MEDIUM | N/A |
| The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag. | |||||
| CVE-2015-4196 | 1 Cisco | 1 Unified Communications Domain Manager | 2016-12-28 | 5.0 MEDIUM | N/A |
| Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546. | |||||
| CVE-2016-2871 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2016-12-15 | 4.6 MEDIUM | 7.8 HIGH |
| IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses cleartext storage for unspecified passwords, which allows local users to obtain sensitive information by reading a configuration file. | |||||
| CVE-2015-6524 | 2 Apache, Fedoraproject | 2 Activemq, Fedora | 2016-12-09 | 5.0 MEDIUM | N/A |
| The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types. | |||||
| CVE-2015-6846 | 1 Emc | 1 Sourceone Email Supervisor | 2016-12-08 | 6.8 MEDIUM | N/A |
| EMC SourceOne Email Supervisor before 7.2 uses hardcoded encryption keys, which makes it easier for attackers to obtain access by examining how a program's code conducts cryptographic operations. | |||||
| CVE-2015-7283 | 1 Zyxel | 2 Nbg-418n, Nbg-418n Firmware | 2016-12-07 | 9.3 HIGH | 8.1 HIGH |
| The web administration interface on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 has a default password of 1234 for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session. | |||||
| CVE-2015-6424 | 1 Cisco | 1 Application Policy Infrastructure Controller | 2016-12-07 | 7.2 HIGH | N/A |
| The boot manager in Cisco Application Policy Infrastructure Controller (APIC) 1.1(0.920a) allows local users to bypass intended access restrictions and obtain single-user-mode root access via unspecified vectors, aka Bug ID CSCuu83985. | |||||
| CVE-2015-6336 | 1 Cisco | 5 Aironet 1830e, Aironet 1830i, Aironet 1850e and 2 more | 2016-12-07 | 7.5 HIGH | 7.3 HIGH |
| Cisco Aironet 1800 devices with software 7.2, 7.3, 7.4, 8.1(112.3), 8.1(112.4), and 8.1(15.14) have a default account, which makes it easier for remote attackers to obtain access via unspecified vectors, aka Bug ID CSCuw58062. | |||||
| CVE-2015-6016 | 1 Zyxel | 4 Nbg-418n, P-660hw-t1 2, Pmg5318-b20a Firmware and 1 more | 2016-12-07 | 10.0 HIGH | 9.8 CRITICAL |
| ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B20A devices with firmware 1.00AANC0b5, and NBG-418N devices have a default password of 1234 for the admin account, which allows remote attackers to obtain administrative access via unspecified vectors. | |||||
| CVE-2015-2864 | 1 Retrospect | 2 Retrospect, Retrospect Client | 2016-12-07 | 5.0 MEDIUM | N/A |
| Retrospect and Retrospect Client before 10.0.2.119 on Windows, before 12.0.2.116 on OS X, and before 10.0.2.104 on Linux improperly generate password hashes, which makes it easier for remote attackers to bypass authentication and obtain access to backup files by leveraging a collision. | |||||
| CVE-2010-0015 | 1 Gnu | 1 Glibc | 2016-12-07 | 7.5 HIGH | N/A |
| nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. | |||||
| CVE-2016-2936 | 1 Ibm | 1 Bigfix Remote Control | 2016-12-06 | 5.0 MEDIUM | 7.3 HIGH |
| IBM BigFix Remote Control before 9.1.3 uses cleartext storage for unspecified passwords, which allows local users to obtain sensitive information via unknown vectors. | |||||
| CVE-2016-1984 | 1 Harman | 1 Amx Firmware | 2016-12-06 | 10.0 HIGH | 9.8 CRITICAL |
| The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2016-01-20 has a hardcoded password for the 1MB@tMaN account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2015-8362. | |||||
| CVE-2016-1307 | 1 Cisco | 2 Finesse, Unified Contact Center Express | 2016-12-06 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and Unified Contact Center Express 10.6(1) has a hardcoded account, which makes it easier for remote attackers to obtain access via an XMPP session, aka Bug ID CSCuw79085. | |||||
| CVE-2016-1341 | 1 Cisco | 1 Nx-os | 2016-12-06 | 6.9 MEDIUM | 9.8 CRITICAL |
| Cisco NX-OS 7.0(1)N1(1), 7.0(1)N1(3), and 7.0(4)N1(1) on Nexus 2000 Fabric Extender devices has a blank root password, which allows local users to gain privileges via unspecified vectors, aka Bug ID CSCur22079. | |||||
| CVE-2015-3957 | 1 Hospira | 3 Lifecare Pca3, Lifecare Pca5, Lifecare Pcainfusion Firmware | 2016-12-06 | 4.6 MEDIUM | N/A |
| Hospira LifeCare PCA Infusion System before 7.0 stores private keys and certificates, which has unspecified impact and attack vectors. | |||||
| CVE-2014-9687 | 1 Ecryptfs | 1 Ecryptfs-utils | 2016-12-06 | 5.0 MEDIUM | N/A |
| eCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack. | |||||
| CVE-2015-2012 | 1 Ibm | 1 Websphere Mq | 2016-12-06 | 2.1 LOW | 4.0 MEDIUM |
| The MQXR service in WMQ Telemetry in IBM WebSphere MQ 7.1 before 7.1.0.7, 7.5 through 7.5.0.5, and 8.0 before 8.0.0.4 uses world-readable permissions for a cleartext file containing the SSL keystore password, which allows local users to obtain sensitive information by reading this file. | |||||
| CVE-2016-5890 | 1 Ibm | 1 Sterling B2b Integrator | 2016-12-03 | 3.5 LOW | 5.3 MEDIUM |
| IBM Sterling B2B Integrator 5.2 before 5020500_14 and 5.2 06 before 5020602_1 allows remote authenticated users to change arbitrary passwords via unspecified vectors. | |||||
| CVE-2016-1356 | 1 Cisco | 1 Firesight System Software | 2016-12-03 | 4.3 MEDIUM | 3.7 LOW |
| Cisco FireSIGHT System Software 6.1.0 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to enumerate valid usernames by measuring timing differences, aka Bug ID CSCuy41615. | |||||
| CVE-2015-7915 | 1 Sauter | 1 Moduweb Vision | 2016-12-03 | 10.0 HIGH | 9.8 CRITICAL |
| Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2015-2766 | 1 Websense | 1 Triton Ap Email | 2016-12-03 | 5.0 MEDIUM | N/A |
| The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allows attackers to have unspecified impact via a brute force attack. | |||||
| CVE-2016-1601 | 1 Suse | 4 Linux Enterprise Desktop, Linux Enterprise Server, Linux Enterprise Software Development Kit and 1 more | 2016-12-01 | 10.0 HIGH | 9.8 CRITICAL |
| yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-5838 | 1 Wordpress | 1 Wordpress | 2016-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | |||||
| CVE-2015-7462 | 1 Ibm | 1 Websphere Mq | 2016-11-30 | 2.1 LOW | 4.4 MEDIUM |
| IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users to discover cleartext certificate-keystore passwords within MQ trace output by leveraging administrator privileges to execute the mqcertck program. | |||||
| CVE-2015-1950 | 1 Ibm | 1 Powervc | 2016-11-30 | 4.6 MEDIUM | N/A |
| IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code. | |||||
| CVE-2016-6531 | 1 Opendental | 1 Opendental | 2016-11-28 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** Open Dental 16.1 and earlier has a hardcoded MySQL root password, which allows remote attackers to obtain administrative access by leveraging access to intranet TCP port 3306. NOTE: the vendor disputes this issue, stating that the "vulnerability note ... is factually false ... there is indeed a default blank password, but it can be changed ... We recommend that users change it, each customer receives direction." | |||||
| CVE-2016-5848 | 1 Siemens | 1 Sicam Pas | 2016-11-28 | 1.7 LOW | 6.7 MEDIUM |
| Siemens SICAM PAS before 8.07 does not properly restrict password data in the database, which makes it easier for local users to calculate passwords by leveraging unspecified database privileges. | |||||
| CVE-2016-3946 | 1 Sap | 1 Sapconsole | 2016-11-28 | 4.6 MEDIUM | 7.8 HIGH |
| SAP Console (aka SAPConsole) 7.30 allows local users to discover SAP Server login credentials by reading the Windows registry, aka SAP Security Note 2121461. | |||||
| CVE-2016-1927 | 1 Phpmyadmin | 1 Phpmyadmin | 2016-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. | |||||