Search
Total
337 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3612 | 1 Mcafee | 2 Data Exchange Layer, Threat Intelligence Exchange | 2020-08-24 | 2.1 LOW | 4.4 MEDIUM |
| Information Disclosure vulnerability in McAfee DXL Platform and TIE Server in DXL prior to 5.0.1 HF2 and TIE prior to 2.3.1 HF1 allows Authenticated users to view sensitive information in plain text via the GUI or command line. | |||||
| CVE-2019-3606 | 1 Mcafee | 1 Network Security Manager | 2020-08-24 | 1.9 LOW | 4.1 MEDIUM |
| Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 < 9.1.7.75 (Update 4) and 9.2 < 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands. | |||||
| CVE-2019-13100 | 1 Send-anywhere | 1 Send Anywhere | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml. | |||||
| CVE-2019-13099 | 1 Momo Project | 1 Momo | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Momo application 2.1.9 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user and a user's access token via Logcat. | |||||
| CVE-2019-11966 | 1 Hp | 1 Intelligent Management Center | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| A remote privilege escalation vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2019-11384 | 1 Zalora | 1 Zalora | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Zalora application 6.15.1 for Android stores confidential information insecurely on the system (i.e. plain text), which allows a non-root user to find out the username/password of a valid user via /data/data/com.zalora.android/shared_prefs/login_data.xml. | |||||
| CVE-2018-12572 | 1 Avast | 1 Free Antivirus | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data. | |||||
| CVE-2019-0285 | 1 Sap | 1 Crystal Reports | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker. | |||||
| CVE-2020-17495 | 1 Django-celery-results Project | 1 Django-celery-results | 2020-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. | |||||
| CVE-2020-15085 | 1 Mirumee | 1 Saleor | 2020-07-28 | 2.1 LOW | 6.1 MEDIUM |
| In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront. | |||||
| CVE-2020-7517 | 1 Schneider-electric | 1 Easergy Builder | 2020-07-27 | 2.1 LOW | 5.5 MEDIUM |
| A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials. | |||||
| CVE-2020-4369 | 1 Ibm | 1 Verify Gateway | 2020-07-24 | 2.1 LOW | 5.5 MEDIUM |
| IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 stores highly sensitive information in cleartext that could be obtained by a user. IBM X-Force ID: 179004. | |||||
| CVE-2020-15105 | 1 Django Two-factor Authentication Project | 1 Django Two-factor Authentication | 2020-07-21 | 3.6 LOW | 5.4 MEDIUM |
| Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. | |||||
| CVE-2019-4676 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2020-07-02 | 2.1 LOW | 7.8 HIGH |
| IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512. | |||||
| CVE-2020-14017 | 1 Naviwebs | 1 Navigate Cms | 2020-06-29 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well as associated information such as CSRF tokens, are stored in cleartext files in the directory /private/sessions. An unauthenticated user could use a brute-force approach to attempt to identify existing sessions, or view the contents of this file to discover details about a session. | |||||
| CVE-2020-7513 | 1 Schneider-electric | 2 Easergy T300, Easergy T300 Firmware | 2020-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to intercept traffic and read configuration data. | |||||
| CVE-2020-9462 | 1 Homey | 4 Homey, Homey Firmware, Homey Pro and 1 more | 2020-06-10 | 3.3 LOW | 4.3 MEDIUM |
| An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks. | |||||
| CVE-2017-3214 | 1 Milwaukeetool | 1 One-key | 2020-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. | |||||
| CVE-2020-12859 | 1 Health | 1 Covidsafe | 2020-05-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations. | |||||
| CVE-2020-10706 | 1 Redhat | 1 Openshift Container Platform | 2020-05-14 | 4.6 MEDIUM | 6.6 MEDIUM |
| A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid. | |||||
| CVE-2020-11415 | 1 Sonatype | 1 Nexus Repository Manager | 2020-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext. | |||||
| CVE-2020-2177 | 1 Jenkins | 1 Copr | 2020-04-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-5723 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2020-04-01 | 5.0 MEDIUM | 9.8 CRITICAL |
| The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. | |||||
| CVE-2020-10532 | 1 Watchguard | 1 Ad Helper Firmware | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI. | |||||
| CVE-2020-6980 | 1 Rockwellautomation | 6 Micrologix 1100, Micrologix 1100 Firmware, Micrologix 1400 and 3 more | 2020-03-20 | 2.1 LOW | 3.3 LOW |
| Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext. | |||||
| CVE-2020-2154 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2020-03-09 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system. | |||||
| CVE-2019-15023 | 1 Zingbox | 1 Inspector | 2020-02-17 | 5.0 MEDIUM | 7.5 HIGH |
| A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that results in passwords for 3rd party integrations being stored in cleartext in device configuration. | |||||
| CVE-2008-7272 | 1 Getfiregpg | 1 Firegpg | 2020-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| FireGPG before 0.6 handle user’s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users’s private key. | |||||
| CVE-2013-2680 | 1 Cisco | 2 Linksys E4200, Linksys E4200 Firmware | 2020-02-07 | 5.0 MEDIUM | 7.5 HIGH |
| Cisco Linksys E4200 1.0.05 Build 7 devices store passwords in cleartext allowing remote attackers to obtain sensitive information. | |||||
| CVE-2020-7213 | 1 Parallels | 1 Parallels | 2020-01-29 | 7.6 HIGH | 7.5 HIGH |
| Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks. Users of out-of-date versions are presented with a pop-up window for a parallels_updates.xml file on the http://update.parallels.com web site. | |||||
| CVE-2010-3282 | 3 Fedoraproject, Hp, Redhat | 4 389 Directory Server, Hp-ux Directory Server, Directory Server and 1 more | 2020-01-29 | 1.9 LOW | 3.3 LOW |
| 389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext when changing cn=config:nsslapd-rootpw, which might allow local users to obtain sensitive information by reading the log. | |||||
| CVE-2009-5068 | 1 Simplemachines | 1 Simple Machines Forum | 2020-01-23 | 3.5 LOW | 7.2 HIGH |
| There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords. | |||||
| CVE-2011-5247 | 1 Prophecyinternational | 1 Snare | 2020-01-21 | 5.0 MEDIUM | 7.5 HIGH |
| Snare for Linux before 1.7.0 has password disclosure because the rendered page contains the field RemotePassword. | |||||
| CVE-2019-19314 | 1 Gitlab | 1 Gitlab | 2020-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext. | |||||
| CVE-2019-14890 | 1 Redhat | 1 Ansible Tower | 2019-12-17 | 2.1 LOW | 8.4 HIGH |
| A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license. | |||||
| CVE-2019-19228 | 1 Fronius | 132 Datamanager Box 2.0, Datamanager Box 2.0 Firmware, Eco 25.0-3-s and 129 more | 2019-12-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow attackers to bypass authentication because the password for the today account is stored in the /tmp/web_users.conf file. | |||||
| CVE-2019-6670 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2019-12-12 | 2.1 LOW | 4.4 MEDIUM |
| On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5, vCMP hypervisors are incorrectly exposing the plaintext unit key for their vCMP guests on the filesystem. | |||||
| CVE-2016-3192 | 1 Cloudera | 1 Cloudera Manager | 2019-12-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cloudera Manager 5.x before 5.7.1 places Sensitive Data in cleartext Readable Files. | |||||
| CVE-2011-2916 | 1 Qtnx Project | 1 Qtnx | 2019-11-22 | 2.1 LOW | 5.5 MEDIUM |
| qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions. | |||||
| CVE-2019-8118 | 1 Magento | 1 Magento | 2019-11-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | |||||
| CVE-2019-10443 | 1 Jenkins | 1 Icescrum | 2019-10-30 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10440 | 1 Jenkins | 1 Neoload | 2019-10-30 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10451 | 1 Jenkins | 1 Soasta Cloudtest | 2019-10-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10447 | 1 Jenkins | 1 Sofy.ai | 2019-10-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10449 | 1 Jenkins | 1 Fortify On Demand | 2019-10-18 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10450 | 1 Jenkins | 1 Elasticbox Ci | 2019-10-18 | 2.1 LOW | 3.3 LOW |
| Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10452 | 1 Jenkins | 1 View26 Test-reporting | 2019-10-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10453 | 1 Jenkins | 1 Delphix | 2019-10-18 | 2.1 LOW | 7.8 HIGH |
| Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-17106 | 1 Centreon | 1 Centreon Web | 2019-10-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components. | |||||
| CVE-2019-4566 | 1 Ibm | 1 Security Key Lifecycle Manager | 2019-10-09 | 2.1 LOW | 7.8 HIGH |
| IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 166627. | |||||