Search
Total
811 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10706 | 1 Westerndigital | 118 Sandisk X300 Sd7sb6s-128g, Sandisk X300 Sd7sb6s-128g Firmware, Sandisk X300 Sd7sb6s-256g and 115 more | 2020-03-13 | 6.3 MEDIUM | 6.3 MEDIUM |
| Western Digital SanDisk SanDisk X300, X300s, X400, and X600 devices: The firmware update authentication method relies on a symmetric HMAC digest. The key used to validate this digest is present in a protected area of the device, and if extracted could be used to install arbitrary firmware to other devices. | |||||
| CVE-2019-10705 | 1 Westerndigital | 40 Sandisk X600 Sd9sb8w-128g, Sandisk X600 Sd9sb8w-128g Firmware, Sandisk X600 Sd9sb8w-1t00 and 37 more | 2020-03-13 | 4.3 MEDIUM | 7.5 HIGH |
| Western Digital SanDisk X600 devices in certain configurations, a vulnerability in the access control mechanism of the drive may allow data to be decrypted without knowledge of proper authentication credentials. | |||||
| CVE-2019-5648 | 1 Barracuda | 2 Load Balancer Adc, Load Balancer Adc Firmware | 2020-03-12 | 5.5 MEDIUM | 6.5 MEDIUM |
| Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network. | |||||
| CVE-2020-2145 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2020-03-10 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system. | |||||
| CVE-2014-4659 | 1 Redhat | 1 Ansible | 2020-02-25 | 2.1 LOW | 5.5 MEDIUM |
| Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. | |||||
| CVE-2014-4660 | 1 Redhat | 1 Ansible | 2020-02-25 | 2.1 LOW | 5.5 MEDIUM |
| Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. | |||||
| CVE-2017-7510 | 1 Redhat | 1 Ovirt-engine | 2020-02-18 | 4.0 MEDIUM | 8.8 HIGH |
| In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. | |||||
| CVE-2020-6969 | 1 Automationdirect | 22 C-more Ea9-rhi, C-more Ea9-rhi Firmware, C-more Ea9-t10cl and 19 more | 2020-02-14 | 10.0 HIGH | 9.8 CRITICAL |
| It is possible to unmask credentials and other sensitive information on “unprotected” project files, which may allow an attacker to remotely access the C-More Touch Panels EA9 series: firmware versions prior to 6.53 and manipulate system configurations. | |||||
| CVE-2020-2119 | 1 Jenkins | 1 Azure Ad | 2020-02-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2020-2114 | 1 Jenkins | 1 S3 Publisher | 2020-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2020-2129 | 1 Jenkins | 1 Eagle Tester | 2020-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2130 | 1 Jenkins | 1 Harvest Scm | 2020-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2131 | 1 Jenkins | 1 Harvest Scm | 2020-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2132 | 1 Jenkins | 1 Parasoft Environment Manager | 2020-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2133 | 1 Jenkins | 1 Applatix | 2020-02-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2127 | 1 Jenkins | 1 Bmc Release Package And Deployment | 2020-02-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2020-2128 | 1 Jenkins | 1 Ecx Copy Data Management | 2020-02-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2020-2125 | 1 Jenkins | 1 Debian Package Builder | 2020-02-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2126 | 1 Jenkins | 1 Digitalocean | 2020-02-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system. | |||||
| CVE-2020-2124 | 1 Jenkins | 1 Dynamic Extended Choice Parameter | 2020-02-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2013-5113 | 1 Logmein | 1 Lastpass | 2020-02-11 | 1.9 LOW | 6.8 MEDIUM |
| LastPass prior to 2.5.1 has an insecure PIN implementation. | |||||
| CVE-2019-19539 | 1 Hp | 3 Web Viewpoint T0320, Web Viewpoint T0952, Web Viewpoint T0986 | 2020-02-07 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Idelji Web ViewPoint H01ABO-H01BY and L01ABP-L01ABZ, Web ViewPoint Plus H01AAG-H01AAQ and L01AAH-L01AAR, and Web ViewPoint Enterprise H01-H01AAE and L01-L01AAF. By reading ADB or AADB file content within the Installation subvolume, a Guardian user can discover the password of the group.user or alias who acknowledges events from the WVP Events screen. | |||||
| CVE-2019-19823 | 11 Ciktel, Coship, Fg-products and 8 more | 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more | 2020-02-06 | 5.0 MEDIUM | 7.5 HIGH |
| A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12. | |||||
| CVE-2013-2672 | 1 Brother | 2 Mfc-9970cdw, Mfc-9970cdw Firmware | 2020-02-05 | 5.0 MEDIUM | 7.5 HIGH |
| Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords. | |||||
| CVE-2013-7052 | 1 D-link | 2 Dir-100, Dir-100 Firmware | 2020-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script | |||||
| CVE-2013-7055 | 1 D-link | 2 Dir-100, Dir-100 Firmware | 2020-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DIR-100 4.03B07 has PPTP and poe information disclosure | |||||
| CVE-2020-7909 | 1 Jetbrains | 1 Teamcity | 2020-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains TeamCity before 2019.1.5, some server-stored passwords could be shown via the web UI. | |||||
| CVE-2014-3445 | 1 Handsomeweb | 1 Sos Webpages | 2020-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash. | |||||
| CVE-2020-2107 | 1 Jenkins | 1 Fortify | 2020-01-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2014-2581 | 2 Fedoraproject, Smb4k Project | 2 Fedora, Smb4k | 2020-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the "Additional options" line edit. | |||||
| CVE-2012-6663 | 1 Ge | 4 D200, D200 Firmware, D20me and 1 more | 2020-01-28 | 5.0 MEDIUM | 7.5 HIGH |
| General Electric D20ME devices are not properly configured and reveal plaintext passwords. | |||||
| CVE-2014-5381 | 1 Granding | 2 Grand Ma300, Grand Ma300 Firmware | 2020-01-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Grand MA 300 allows a brute-force attack on the PIN. | |||||
| CVE-2012-3823 | 1 Arialsoftware | 1 Campaign Enterprise | 2020-01-15 | 5.0 MEDIUM | 7.5 HIGH |
| Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved. | |||||
| CVE-2019-10205 | 1 Redhat | 1 Quay | 2020-01-15 | 4.6 MEDIUM | 6.3 MEDIUM |
| A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry. | |||||
| CVE-2019-5990 | 1 Anglers-net | 1 Cgi An-anlyzer | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allow remote attackers to obtain a login password via HTTP referer. | |||||
| CVE-2013-3620 | 2 Citrix, Supermicro | 10 Netscaler, Netscaler Firmware, Netscaler Sd-wan and 7 more | 2020-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312. | |||||
| CVE-2014-5093 | 1 Status2k | 1 Status2k | 2020-01-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Status2k does not remove the install directory allowing credential reset. | |||||
| CVE-2019-4508 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2020-01-13 | 2.1 LOW | 7.8 HIGH |
| IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429. | |||||
| CVE-2019-19310 | 1 Gitlab | 1 Gitlab | 2020-01-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure. | |||||
| CVE-2019-20047 | 1 Al-enterprise | 2 Omnivista 4760, Omnivista 8770 | 2020-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>. | |||||
| CVE-2019-3663 | 1 Mcafee | 1 Advanced Threat Defense | 2020-01-07 | 2.1 LOW | 7.8 HIGH |
| Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system. This was originally published with a CVSS rating of High, further investigation has resulted in this being updated to Critical. The root password is common across all instances of ATD prior to 4.8. See the Security bulletin for further details | |||||
| CVE-2019-16557 | 1 Jenkins | 1 Redgate Sql Change Automation | 2020-01-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-16556 | 1 Jenkins | 1 Rundeck | 2020-01-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-6024 | 1 Rakuten | 1 Rakuma | 2020-01-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Rakuma App for Android version 7.15.0 and earlier, and for iOS version 7.16.4 and earlier allows an attacker to bypass authentication and obtain the user's authentication information via a malicious application created by the third party. | |||||
| CVE-2019-19687 | 1 Openstack | 1 Keystone | 2019-12-20 | 3.5 LOW | 8.8 HIGH |
| OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) | |||||
| CVE-2014-0241 | 2 Redhat, Theforeman | 2 Satellite, Hammer Cli | 2019-12-18 | 2.1 LOW | 5.5 MEDIUM |
| rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable | |||||
| CVE-2019-16572 | 1 Jenkins | 1 Weibo | 2019-12-18 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2012-5527 | 1 Claws-mail | 1 Vcalendar | 2019-12-11 | 2.1 LOW | 5.5 MEDIUM |
| Claws Mail vCalendar plugin: credentials exposed on interface | |||||
| CVE-2013-2106 | 2 Debian, Stanford | 2 Debian Linux, Webauth | 2019-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| webauth before 4.6.1 has authentication credential disclosure | |||||
| CVE-2019-16673 | 1 Weidmueller | 80 Ie-sw-pl08m-6tx-2sc, Ie-sw-pl08m-6tx-2sc Firmware, Ie-sw-pl08m-6tx-2scs and 77 more | 2019-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Passwords are stored in cleartext and can be read by anyone with access to the device. | |||||