Search
Total
811 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-0540 | 1 Intel | 1 Active Management Technology Firmware | 2020-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| Insufficiently protected credentials in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2020-2208 | 1 Jenkins | 1 Slack Upload | 2020-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-1003097 | 1 Jenkins | 1 Crowd Integration | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-1003096 | 1 Jenkins | 1 Testfairy | 2020-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2209 | 1 Jenkins | 1 Testcomplete Support | 2020-07-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2218 | 1 Hp Application Lifecycle Management Quality Center Project | 1 Hp Application Lifecycle Management Quality Center | 2020-07-08 | 2.1 LOW | 3.3 LOW |
| Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2212 | 1 Jenkins | 1 Github Coverage Reporter | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | |||||
| CVE-2020-2213 | 1 Jenkins | 1 White Source | 2020-07-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system. | |||||
| CVE-2018-21248 | 1 Mattermost | 1 Mattermost Server | 2020-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials. | |||||
| CVE-2020-11681 | 1 Castel | 2 Nextgen Dvr, Nextgen Dvr Firmware | 2020-06-10 | 4.0 MEDIUM | 8.1 HIGH |
| Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials. | |||||
| CVE-2018-21237 | 1 Foxitsoftware | 1 Phantompdf | 2020-06-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows NTLM credential theft via a GoToE or GoToR action. | |||||
| CVE-2018-21239 | 1 Foxitsoftware | 2 Phantompdf, Reader | 2020-06-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It allows NTLM credential theft via a GoToE or GoToR action. | |||||
| CVE-2014-9702 | 1 2pisoftware | 1 Cmfive | 2020-06-04 | 5.0 MEDIUM | 7.5 HIGH |
| system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request. | |||||
| CVE-2020-2198 | 1 Jenkins | 1 Project Inheritance | 2020-06-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure. | |||||
| CVE-2013-4222 | 4 Canonical, Fedoraproject, Openstack and 1 more | 4 Ubuntu Linux, Fedora, Keystone and 1 more | 2020-06-02 | 6.5 MEDIUM | N/A |
| OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token. | |||||
| CVE-2015-7546 | 2 Openstack, Oracle | 3 Keystone, Keystonemiddleware, Solaris | 2020-06-02 | 6.0 MEDIUM | 7.5 HIGH |
| The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. | |||||
| CVE-2014-8938 | 1 Piwigo | 1 Lexiglot | 2020-06-02 | 2.1 LOW | 7.8 HIGH |
| Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line. | |||||
| CVE-2020-11008 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2020-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability. | |||||
| CVE-2017-3214 | 1 Milwaukeetool | 1 One-key | 2020-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. | |||||
| CVE-2014-1423 | 2 Signond Project, Ubports | 2 Signond, Ubuntu Touch | 2020-05-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information. | |||||
| CVE-2020-2181 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | |||||
| CVE-2020-2182 | 1 Jenkins | 1 Credentials Binding | 2020-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | |||||
| CVE-2018-13822 | 1 Broadcom | 1 Project Portfolio Management | 2020-05-06 | 5.0 MEDIUM | 7.5 HIGH |
| Unprotected storage of credentials in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows attackers to access sensitive information. | |||||
| CVE-2018-11752 | 1 Puppet | 1 Cisco Ios | 2020-05-01 | 2.1 LOW | 5.5 MEDIUM |
| Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release. | |||||
| CVE-2019-19105 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2020-04-29 | 2.1 LOW | 5.5 MEDIUM |
| The backup function in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway saves the current settings and configuration of the application, including credentials of existing user accounts and other configuration's credentials in plaintext. | |||||
| CVE-2020-5721 | 1 Mikrotik | 1 Winbox | 2020-04-28 | 2.1 LOW | 5.5 MEDIUM |
| MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router. | |||||
| CVE-2020-9523 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2020-04-28 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server, affecting all version prior to 4.0 Patch Update 16, and version 5.0 Patch Update 6. The vulnerability could allow an attacker to transmit hashed credentials for the user account running the Micro Focus Directory Server (MFDS) to an arbitrary site, compromising that account's security. | |||||
| CVE-2019-4668 | 1 Ibm | 1 Urbancode Deploy | 2020-04-27 | 2.1 LOW | 5.5 MEDIUM |
| IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171250. | |||||
| CVE-2017-18777 | 1 Netgear | 36 D6220, D6220 Firmware, D6400 and 33 more | 2020-04-24 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by administrative password disclosure. This affects D6220 before V1.0.0.28, D6400 before V1.0.0.60, D8500 before V1.0.3.29, DGN2200v4 before 1.0.0.82, DGN2200Bv4 before 1.0.0.82, R6300v2 before 1.0.4.8, R6400 before 1.0.1.20, R6700 before 1.0.1.20, R6900 before 1.0.1.20, R7000 before 1.0.7.10, R7100LG before V1.0.0.32, R7300DST before 1.0.0.52, R7900 before 1.0.1.16, R8000 before 1.0.3.36, R8300 before 1.0.2.94, R8500 before 1.0.2.94, WNDR3400v3 before 1.0.1.12, and WNR3500Lv2 before 1.2.0.40. | |||||
| CVE-2017-18843 | 1 Netgear | 6 D7000, D7000 Firmware, R6700 and 3 more | 2020-04-23 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50. | |||||
| CVE-2017-18844 | 1 Netgear | 6 D7000, D7000 Firmware, R6700 and 3 more | 2020-04-23 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50. | |||||
| CVE-2017-18845 | 1 Netgear | 4 R6700, R6700 Firmware, R6800 and 1 more | 2020-04-22 | 2.1 LOW | 7.8 HIGH |
| Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38 and R6800 before 1.1.0.38. | |||||
| CVE-2018-11544 | 1 Theolivetree | 1 Ftp Server | 2020-04-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings. | |||||
| CVE-2020-5406 | 1 Vmware | 1 Tanzu Application Service For Vms | 2020-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling. | |||||
| CVE-2020-11555 | 1 Castlerock | 1 Snmpc Online | 2020-04-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive credential information from backup files. | |||||
| CVE-2020-1978 | 1 Paloaltonetworks | 2 Pan-os, Vm-series | 2020-04-10 | 1.9 LOW | 4.4 MEDIUM |
| TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials. | |||||
| CVE-2020-5263 | 1 Auth0 | 1 Auth0.js | 2020-04-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3 | |||||
| CVE-2017-18695 | 1 Google | 1 Android | 2020-04-08 | 3.5 LOW | 6.5 MEDIUM |
| An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software. Attackers (who control a certain subdomain) can discover a user's credentials, during an email account login, via an EAS autodiscover packet. The Samsung ID is SVE-2016-7654 (January 2017). | |||||
| CVE-2020-11560 | 1 Nchsoftware | 1 Express Invoice | 2020-04-08 | 2.1 LOW | 7.8 HIGH |
| NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. | |||||
| CVE-2016-11029 | 1 Google | 1 Android | 2020-04-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.0) software. Attackers can read the password of the Mobile Hotspot in the log because of an unprotected intent. The Samsung ID is SVE-2016-7301 (December 2016). | |||||
| CVE-2019-19096 | 1 Abb | 1 Esoms | 2020-04-03 | 3.6 LOW | 6.1 MEDIUM |
| The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials' confidentiality. | |||||
| CVE-2019-3942 | 1 Advantech | 1 Webaccess | 2020-04-02 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. | |||||
| CVE-2020-11449 | 1 Technicolor | 2 Tc7337, Tc7337 Firmware | 2020-04-02 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. | |||||
| CVE-2020-2164 | 1 Jfrog | 1 Artifactory | 2020-03-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2165 | 1 Jfrog | 1 Artifactory | 2020-03-27 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2014-6039 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2020-03-26 | 5.0 MEDIUM | 7.5 HIGH |
| ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000. | |||||
| CVE-2019-18785 | 1 Suitecrm | 1 Suitecrm | 2020-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials. | |||||
| CVE-2020-9324 | 1 Aquaforest | 1 Tiff Server | 2020-03-20 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated SMB Hash Capture via UNC. | |||||
| CVE-2020-6961 | 1 Gehealthcare | 12 Apexpro Telemetry Server, Apexpro Telemetry Server Firmware, Carescape Central Station Mai700 and 9 more | 2020-03-17 | 7.5 HIGH | 10.0 CRITICAL |
| In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Telemetry Server Version 4.3, CARESCAPE Central Station (CSCS) Versions 1.X, a vulnerability exists in the affected products that could allow an attacker to obtain access to the SSH private key in configuration files. | |||||
| CVE-2019-11686 | 1 Westerndigital | 118 Sandisk X300 Sd7sb6s-128g, Sandisk X300 Sd7sb6s-128g Firmware, Sandisk X300 Sd7sb6s-256g and 115 more | 2020-03-13 | 2.1 LOW | 5.5 MEDIUM |
| Western Digital SanDisk X300, X300s, X400, and X600 devices: A vulnerability in the wear-leveling algorithm of the drive may cause cryptographically sensitive parameters (such as data encryption keys) to remain on the drive media after their intended erasure. | |||||