Total
491 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-31002 | 1 Ibm | 1 Security Access Manager Container | 2024-02-10 | N/A | 5.5 MEDIUM |
| IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657. | |||||
| CVE-2002-1800 | 1 Phprank | 1 Phprank | 2024-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| phpRank 1.8 stores the administrative password in plaintext on the server and in the "ap" cookie, which allows remote attackers to retrieve the administrative password. | |||||
| CVE-2001-1536 | 1 Audiogalaxy | 1 Audiogalaxy | 2024-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| Autogalaxy stores usernames and passwords in cleartext in cookies, which makes it easier for remote attackers to obtain authentication information and gain unauthorized access via sniffing or a cross-site scripting attack. | |||||
| CVE-2023-51702 | 1 Apache | 2 Airflow, Airflow Cncf Kubernetes | 2024-01-30 | N/A | 6.5 MEDIUM |
| Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster. This behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue. | |||||
| CVE-2023-20207 | 1 Duo | 1 Authentication Proxy | 2024-01-25 | N/A | 6.5 MEDIUM |
| A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text. | |||||
| CVE-2023-5384 | 2 Infinispan, Redhat | 3 Infinispan, Data Grid, Jboss Data Grid | 2024-01-25 | N/A | 2.7 LOW |
| A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. | |||||
| CVE-2023-27098 | 1 Tp-link | 2 Tapo, Tapo C200 | 2024-01-12 | N/A | 7.5 HIGH |
| TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel. | |||||
| CVE-2023-41335 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2024-01-07 | N/A | 3.7 LOW |
| Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-40238 | 1 Insyde | 1 Insydeh2o | 2024-01-05 | N/A | 5.5 MEDIUM |
| A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression. | |||||
| CVE-2023-6250 | 1 Bestwebsoft | 1 Like \& Share | 2024-01-02 | N/A | 7.5 HIGH |
| The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses the content of password protected posts to unauthenticated users via a meta tag | |||||
| CVE-2023-50294 | 1 Weseek | 1 Growi | 2024-01-02 | N/A | 6.5 MEDIUM |
| The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page. | |||||
| CVE-2020-12801 | 2 Libreoffice, Opensuse | 2 Libreoffice, Leap | 2023-12-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3. | |||||
| CVE-2023-50719 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 7.5 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-2809 | 1 Sage | 1 Sage 200 Spain | 2023-12-19 | N/A | 9.8 CRITICAL |
| Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remote attacker to extract SQL database credentials from the DLL application. This vulnerability could be linked to known techniques to obtain remote execution of MS SQL commands and escalate privileges on Windows systems because the credentials are stored in plaintext. | |||||
| CVE-2023-50776 | 1 Jenkins | 1 Paaslane Estimate | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50777 | 1 Jenkins | 1 Paaslane Estimate | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2023-50772 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50773 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2022-46141 | 1 Siemens | 1 Simatic Step 7 | 2023-12-15 | N/A | 5.5 MEDIUM |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application. | |||||
| CVE-2015-8314 | 1 Heartcombo | 1 Devise | 2023-12-14 | N/A | 7.5 HIGH |
| The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access. | |||||