Total
1001 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-4538 | 2024-02-15 | N/A | 6.2 MEDIUM | ||
The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords. This issue affects ERP XL: from 2020.2.2 through 2023.2. | |||||
CVE-2024-22312 | 1 Ibm | 1 Storage Defender Resiliency Service | 2024-02-15 | N/A | 5.5 MEDIUM |
IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748. | |||||
CVE-2023-27975 | 2024-02-14 | N/A | 7.1 HIGH | ||
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation. | |||||
CVE-2024-23306 | 2024-02-14 | N/A | 4.4 MEDIUM | ||
A vulnerability exists in BIG-IP Next CNF and SPK systems that may allow access to undisclosed sensitive files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2020-15483 | 1 Niscomed | 2 M1000 Multipara Patient Monitor, M1000 Multipara Patient Monitor Firmware | 2024-02-14 | 7.2 HIGH | 6.8 MEDIUM |
An issue was discovered on Nescomed Multipara Monitor M1000 devices. The physical UART debug port provides a shell, without requiring a password, with complete access. | |||||
CVE-2023-32280 | 2024-02-14 | N/A | 5.3 MEDIUM | ||
Insufficiently protected credentials in some Intel(R) Server Product OpenBMC firmware before versions egs-1.05 may allow an unauthenticated user to enable information disclosure via network access. | |||||
CVE-2020-15024 | 1 Avast | 1 Antivirus | 2024-02-14 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in the Login Password feature of the Password Manager component in Avast Antivirus 20.1.5069.562. An entered password continues to be stored in Windows main memory after a logout, and after a Lock Vault operation. | |||||
CVE-2021-34204 | 1 Dlink | 2 Dir-2640-us, Dir-2640-us Firmware | 2024-02-14 | 7.2 HIGH | 6.8 MEDIUM |
D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the passwords of all devices are the same, and they cannot be modified by normal users. An attacker can easily log in to the target router through the serial port and obtain root privileges. | |||||
CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-02-13 | N/A | 6.5 MEDIUM |
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | |||||
CVE-2022-30018 | 1 Mobotix | 1 Mxcontrolcenter | 2024-02-13 | 6.5 MEDIUM | 8.8 HIGH |
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations. | |||||
CVE-2022-29959 | 1 Emerson | 1 Openbsi | 2024-02-13 | N/A | 5.5 MEDIUM |
Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism. | |||||
CVE-2024-24595 | 1 Clear | 1 Clearml | 2024-02-13 | N/A | 7.1 HIGH |
Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords. | |||||
CVE-2022-35411 | 1 Rpc.py Project | 1 Rpc.py | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. | |||||
CVE-2000-0944 | 1 Cgi | 1 Script Center News Update | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password. | |||||
CVE-2007-0681 | 1 Extcalendar Project | 1 Extcalendar | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php. | |||||
CVE-2005-3435 | 1 Archilles | 1 Newsworld | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to bypass authentication by obtaining the password hash for another user, for example through another Newsworld vulnerability, and specifying the hash in the pwd argument. | |||||
CVE-2024-21869 | 1 Rapidscada | 1 Rapid Scada | 2024-02-07 | N/A | 5.5 MEDIUM |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them. | |||||
CVE-2023-29055 | 1 Apache | 1 Kylin | 2024-02-02 | N/A | 7.5 HIGH |
In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials. To avoid this threat, users are recommended to * Always turn on HTTPS so that network payload is encrypted. * Avoid putting credentials in kylin.properties, or at least not in plain text. * Use network firewalls to protect the serverside such that it is not accessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface. | |||||
CVE-2024-22432 | 1 Dell | 1 Networker | 2024-02-01 | N/A | 6.5 MEDIUM |
Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account. | |||||
CVE-2023-20046 | 1 Cisco | 6 Asr 5000, Asr 5500, Asr 5700 and 3 more | 2024-01-25 | N/A | 8.8 HIGH |
A vulnerability in the key-based SSH authentication feature of Cisco StarOS Software could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user. There are workarounds that address this vulnerability. |