Total
1000 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-41677 | 2024-04-15 | N/A | 7.5 HIGH | ||
A insufficiently protected credentials in Fortinet FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17 allows attacker to execute unauthorized code or commands via targeted social engineering attack | |||||
CVE-2023-36266 | 1 Keepersecurity | 2 Keeper, Keeperfill | 2024-04-11 | N/A | 5.5 MEDIUM |
An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information). | |||||
CVE-2022-47561 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-04-11 | N/A | 5.5 MEDIUM |
The web application stores credentials in clear text in the "admin.xml" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions. | |||||
CVE-2019-6242 | 1 Kentico | 1 Kentico | 2024-04-11 | 4.0 MEDIUM | 7.2 HIGH |
Kentico v10.0.42 allows Global Administrators to read the cleartext SMTP Password by navigating to the SMTP configuration page. NOTE: the vendor considers this a best-practice violation but not a vulnerability. The vendor plans to fix it at a future time | |||||
CVE-2016-15014 | 1 Cesnet | 1 Theme-cesnet | 2024-04-11 | 1.7 LOW | 5.5 MEDIUM |
A vulnerability has been found in CESNET theme-cesnet up to 1.x on ownCloud and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The identifier of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability. | |||||
CVE-2023-6916 | 2024-04-10 | N/A | 7.2 HIGH | ||
Audit records for OpenAPI requests may include sensitive information. This could lead to unauthorized accesses and privilege escalation. | |||||
CVE-2024-29992 | 2024-04-10 | N/A | 5.5 MEDIUM | ||
Azure Identity Library for .NET Information Disclosure Vulnerability | |||||
CVE-2022-47037 | 1 Siklu | 9 Tg Firmware, Tg Lr T280, Tg Mpl-261 and 6 more | 2024-04-08 | N/A | 7.5 HIGH |
Siklu TG Terragraph devices before 2.1.1 allow attackers to discover valid, randomly generated credentials via GetCredentials. | |||||
CVE-2023-50311 | 1 Ibm | 1 Cics Transaction Gateway | 2024-04-02 | N/A | 4.9 MEDIUM |
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. IBM X-Force ID: 273612. | |||||
CVE-2024-3165 | 2024-04-02 | N/A | 4.5 MEDIUM | ||
System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment. OWASP Top 10 - A05) Insecure Design OWASP Top 10 - A05) Security Misconfiguration OWASP Top 10 - A09) Security Logging and Monitoring Failure | |||||
CVE-2021-22923 | 6 Fedoraproject, Haxx, Netapp and 3 more | 23 Fedora, Curl, Cloud Backup and 20 more | 2024-03-27 | 2.6 LOW | 5.3 MEDIUM |
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. | |||||
CVE-2022-27774 | 5 Brocade, Debian, Haxx and 2 more | 17 Fabric Operating System, Debian Linux, Curl and 14 more | 2024-03-27 | 3.5 LOW | 5.7 MEDIUM |
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. | |||||
CVE-2022-27776 | 6 Brocade, Debian, Fedoraproject and 3 more | 18 Fabric Operating System, Debian Linux, Fedora and 15 more | 2024-03-27 | 4.3 MEDIUM | 6.5 MEDIUM |
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. | |||||
CVE-2021-38938 | 1 Ibm | 1 Host Access Transformation Services | 2024-03-19 | N/A | 5.5 MEDIUM |
IBM Host Access Transformation Services (HATS) 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 210989. | |||||
CVE-2024-28110 | 2024-03-07 | N/A | 7.5 HIGH | ||
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue. | |||||
CVE-2024-21815 | 2024-03-05 | N/A | 9.1 CRITICAL | ||
Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior. | |||||
CVE-2023-6259 | 2024-02-21 | N/A | 7.1 HIGH | ||
Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3. | |||||
CVE-2023-50291 | 1 Apache | 1 Solr | 2024-02-15 | N/A | 7.5 HIGH |
Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' | |||||
CVE-2023-4538 | 2024-02-15 | N/A | 6.2 MEDIUM | ||
The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords. This issue affects ERP XL: from 2020.2.2 through 2023.2. | |||||
CVE-2024-22312 | 1 Ibm | 1 Storage Defender Resiliency Service | 2024-02-15 | N/A | 5.5 MEDIUM |
IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748. |