Total
493 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-11384 | 1 Zalora | 1 Zalora | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The Zalora application 6.15.1 for Android stores confidential information insecurely on the system (i.e. plain text), which allows a non-root user to find out the username/password of a valid user via /data/data/com.zalora.android/shared_prefs/login_data.xml. | |||||
CVE-2018-17489 | 1 Hidglobal | 1 Easylobby Solo | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
EasyLobby Solo could allow a local attacker to obtain sensitive information, caused by the storing of the social security number in plaintext. By visiting the kiosk and viewing the Visitor table of the database, an attacker could exploit this vulnerability to view stored social security numbers. | |||||
CVE-2019-11966 | 1 Hp | 1 Intelligent Management Center | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
A remote privilege escalation vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
CVE-2019-13099 | 1 Momo Project | 1 Momo | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The Momo application 2.1.9 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user and a user's access token via Logcat. | |||||
CVE-2019-13100 | 1 Send-anywhere | 1 Send Anywhere | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml. | |||||
CVE-2018-19981 | 1 Amazon | 1 Aws Software Development Kit | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms). | |||||
CVE-2019-3612 | 1 Mcafee | 2 Data Exchange Layer, Threat Intelligence Exchange | 2023-12-10 | 2.1 LOW | 4.4 MEDIUM |
Information Disclosure vulnerability in McAfee DXL Platform and TIE Server in DXL prior to 5.0.1 HF2 and TIE prior to 2.3.1 HF1 allows Authenticated users to view sensitive information in plain text via the GUI or command line. | |||||
CVE-2018-2028 | 1 Ibm | 10 Control Desk, Maximo Asset Management, Maximo For Aviation and 7 more | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Maximo Asset Management 7.6 could allow a an authenticated user to replace a target page with a phishing site which could allow the attacker to obtain highly sensitive information. IBM X-Force ID: 155554. | |||||
CVE-2019-3937 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, slideshow passcode, and other configuration options in cleartext in the file /tmp/scfgdndf. A local attacker can use this vulnerability to recover sensitive data. | |||||
CVE-2019-10350 | 1 Jenkins | 1 Port Allocator | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
CVE-2019-15508 | 1 Octopus | 2 Server, Tentacle | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. | |||||
CVE-2019-13096 | 1 Tronlink | 1 Wallet | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access. | |||||
CVE-2018-12572 | 1 Avast | 1 Free Antivirus | 2023-12-10 | 2.1 LOW | 7.8 HIGH |
Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data. | |||||
CVE-2019-15947 | 1 Bitcoin | 1 Bitcoin Core | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command. | |||||
CVE-2018-17499 | 1 Envoy | 1 Passport | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information. | |||||
CVE-2019-15507 | 1 Octopus | 1 Server | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. | |||||
CVE-2018-20008 | 1 Iball | 2 Ib-wrb302n, Ib-wrb302n Firmware | 2023-12-10 | 2.1 LOW | 6.8 MEDIUM |
iBall Baton iB-WRB302N20122017 devices have improper access control over the UART interface, allowing physical attackers to discover Wi-Fi credentials (plain text) and the web-console password (base64) via the debugging console. | |||||
CVE-2019-10351 | 1 Jenkins | 1 Caliper Ci | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
CVE-2019-5810 | 4 Debian, Fedoraproject, Google and 1 more | 5 Debian Linux, Fedora, Chrome and 2 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Information leak in autofill in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||||
CVE-2019-0285 | 1 Sap | 1 Crystal Reports | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker. |