Total
1013 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-27774 | 5 Brocade, Debian, Haxx and 2 more | 17 Fabric Operating System, Debian Linux, Curl and 14 more | 2024-03-27 | 5.7 Medium |
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. | ||||
CVE-2022-27776 | 6 Brocade, Debian, Fedoraproject and 3 more | 18 Fabric Operating System, Debian Linux, Fedora and 15 more | 2024-03-27 | 6.5 Medium |
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. | ||||
CVE-2021-38938 | 1 Ibm | 1 Host Access Transformation Services | 2024-03-19 | 5.5 Medium |
IBM Host Access Transformation Services (HATS) 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 210989. | ||||
CVE-2024-28110 | 2024-03-07 | 7.5 High | ||
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue. | ||||
CVE-2023-6259 | 2024-02-21 | 7.1 High | ||
Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3. | ||||
CVE-2023-50291 | 1 Apache | 1 Solr | 2024-02-15 | 7.5 High |
Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' | ||||
CVE-2023-4538 | 2024-02-15 | 6.2 Medium | ||
The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords. This issue affects ERP XL: from 2020.2.2 through 2023.2. | ||||
CVE-2024-22312 | 1 Ibm | 1 Storage Defender Resiliency Service | 2024-02-15 | 5.5 Medium |
IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748. | ||||
CVE-2023-32280 | 2024-02-14 | 5.3 Medium | ||
Insufficiently protected credentials in some Intel(R) Server Product OpenBMC firmware before versions egs-1.05 may allow an unauthenticated user to enable information disclosure via network access. | ||||
CVE-2021-34204 | 1 Dlink | 2 Dir-2640-us, Dir-2640-us Firmware | 2024-02-14 | 6.8 Medium |
D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the passwords of all devices are the same, and they cannot be modified by normal users. An attacker can easily log in to the target router through the serial port and obtain root privileges. | ||||
CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-02-13 | 6.5 Medium |
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | ||||
CVE-2024-24595 | 1 Clear | 1 Clearml | 2024-02-13 | 7.1 High |
Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords. | ||||
CVE-2022-30018 | 1 Mobotix | 1 Mxcontrolcenter | 2024-02-13 | 8.8 High |
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations. | ||||
CVE-2022-29959 | 1 Emerson | 1 Openbsi | 2024-02-13 | 5.5 Medium |
Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism. | ||||
CVE-2022-35411 | 1 Rpc.py Project | 1 Rpc.py | 2024-02-09 | 9.8 Critical |
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. | ||||
CVE-2000-0944 | 1 Cgi | 1 Script Center News Update | 2024-02-09 | 9.8 Critical |
CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password. | ||||
CVE-2007-0681 | 1 Extcalendar Project | 1 Extcalendar | 2024-02-09 | 9.8 Critical |
profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php. | ||||
CVE-2005-3435 | 1 Archilles | 1 Newsworld | 2024-02-09 | 9.8 Critical |
admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to bypass authentication by obtaining the password hash for another user, for example through another Newsworld vulnerability, and specifying the hash in the pwd argument. | ||||
CVE-2024-21869 | 1 Rapidscada | 1 Rapid Scada | 2024-02-07 | 5.5 Medium |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them. | ||||
CVE-2024-22432 | 1 Dell | 1 Networker | 2024-02-06 | 6.5 Medium |
Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account. |