Total
725 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-7259 | 1 Zte | 2 Zxv10 W300, Zxv10 W300 Firmware | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs. | |||||
CVE-2016-7030 | 1 Freeipa | 1 Freeipa | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on. | |||||
CVE-2016-2972 | 1 Ibm | 1 Sametime | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browser which could be accessed by a local user. IBM X-Force ID: 113855. | |||||
CVE-2015-4684 | 1 Polycom | 1 Realpresence Resource Manager | 2023-12-10 | 5.5 MEDIUM | 6.5 MEDIUM |
Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote authenticated administrators to upload arbitrary files via the (2) Filename or (3) SE_FNAME parameter to PlcmRmWeb/FileUpload or to read and remove arbitrary files via the (4) filePathName parameter in an importSipUriReservations SOAP request to PlcmRmWeb/JUserManager. | |||||
CVE-2016-10401 | 1 Zyxel | 2 Pk5001z, Pk5001z Firmware | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices). | |||||
CVE-2014-8357 | 1 Dasanzhone | 2 Znid 2426a, Znid 2426a Firmware | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf. | |||||
CVE-2016-5411 | 1 Redhat | 2 Enterprise Linux, Quickstart Cloud Installer | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
/var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart Cloud Installer (QCI) before 1.0 GA is created world readable and contains the root password of the deployed system. | |||||
CVE-2016-6815 | 1 Apache | 1 Ranger | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role. | |||||
CVE-2015-8009 | 1 Mediawiki | 1 Mediawiki | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials. | |||||
CVE-2016-1265 | 1 Juniper | 1 Junos Space | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command injection attack vectors. All versions of Juniper Networks Junos Space prior to 15.1R3 are affected. | |||||
CVE-2014-5002 | 1 Lynx Project | 1 Lynx | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes. | |||||
CVE-2016-3704 | 2 Fedoraproject, Pulpproject | 2 Fedora, Pulp | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. | |||||
CVE-2016-6093 | 1 Ibm | 2 Security Key Lifecycle Manager, Tivoli Key Lifecycle Manager | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
IBM Tivoli Key Lifecycle Manager does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | |||||
CVE-2016-6904 | 1 Netapp | 1 Vasa Provider | 2023-12-10 | 4.3 MEDIUM | 8.1 HIGH |
Versions of VASA Provider for Clustered Data ONTAP prior to 7.0P1 contain a web server that accepts plain text authentication. This could allow an unauthenticated attacker to obtain authentication credentials. | |||||
CVE-2015-4681 | 1 Polycom | 1 Realpresence Resource Manager | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords. | |||||
CVE-2016-10512 | 1 Multitech | 1 Faxfinder | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
MultiTech FaxFinder before 4.1.2 stores Passwords unencrypted for maintaining the test connectivity function of its LDAP configuration. These credentials are retrieved by the system when the LDAP configuration page is opened and are embedded directly into the HTML source code in cleartext. | |||||
CVE-2016-7062 | 1 Redhat | 2 Storage Console, Storage Console Node | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
rhscon-ceph in Red Hat Storage Console 2 x86_64 and Red Hat Storage Console Node 2 x86_64 allows local users to obtain the password as cleartext. | |||||
CVE-2016-5890 | 1 Ibm | 1 Sterling B2b Integrator | 2023-12-10 | 3.5 LOW | 5.3 MEDIUM |
IBM Sterling B2B Integrator 5.2 before 5020500_14 and 5.2 06 before 5020602_1 allows remote authenticated users to change arbitrary passwords via unspecified vectors. | |||||
CVE-2016-8375 | 1 Bd | 1 Alaris 8015 Pc Unit | 2023-12-10 | 1.9 LOW | 4.9 MEDIUM |
An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. | |||||
CVE-2016-3685 | 3 Apple, Microsoft, Sap | 3 Macos, Windows, Download Manager | 2023-12-10 | 1.9 LOW | 4.7 MEDIUM |
SAP Download Manager 2.1.142 and earlier generates an encryption key from a small key space on Windows and Mac systems, which allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded key in the program code and a computer BIOS serial number, aka SAP Security Note 2282338. |