Total
1286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10727 | 2 Apache, Netapp | 2 Activemq Artemis, Oncommand Workflow Automation | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.
|
|||||
| CVE-2020-10710 | 1 Theforeman | 1 Foreman | 2024-11-21 | N/A | 4.4 MEDIUM |
|
A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.
|
|||||
| CVE-2020-10609 | 1 Grundfos | 1 Cim 500 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Grundfos CIM 500 v06.16.00 stores plaintext credentials, which may allow sensitive information to be read or allow modification to system settings by someone with access to the device.
|
|||||
| CVE-2020-10554 | 1 Psyprax | 1 Psyprax | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in Psyprax beforee 3.2.2. Passwords used to encrypt the data are stored in the database in an obfuscated format, which can be easily reverted. For example, the password AAAAAAAA is stored in the database as MMMMMMMM.
|
|||||
| CVE-2020-10287 | 1 Abb | 4 Irb140, Irb140 Firmware, Irc5 and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default credentials and consider thereby this an exposure that should be mitigated. Moreover, future deployments should consider that these defaults should be forbidden (user should be forced to change them).
|
|||||
| CVE-2020-0540 | 1 Intel | 1 Active Management Technology Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Insufficiently protected credentials in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access.
|
|||||
| CVE-2019-9873 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
|
|||||
| CVE-2019-9872 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.
|
|||||
| CVE-2019-9868 | 1 Veritas | 1 Netbackup Appliance | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The SMTP password is displayed to an administrator.
|
|||||
| CVE-2019-9867 | 1 Veritas | 1 Netbackup Appliance | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator.
|
|||||
| CVE-2019-9823 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.
|
|||||
| CVE-2019-9657 | 1 Alarm | 2 Adc-v522ir, Adc-v522ir Firmware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588. This occurs because of incorrect protection of VPN certificates (used for initiating a VPN session to the Alarm.com infrastructure) on the local camera device.
|
|||||
| CVE-2019-9533 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
The root password of the Cobham EXPLORER 710 is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device.
|
|||||
| CVE-2019-9104 | 1 Moxa | 12 Mb3170, Mb3170 Firmware, Mb3180 and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. The application's configuration file contains parameters that represent passwords in cleartext.
|
|||||
| CVE-2019-8932 | 1 Rdbrck | 1 Shift | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.
|
|||||
| CVE-2019-8350 | 1 Simple | 1 Better Banking | 2024-11-21 | 2.1 LOW | 6.6 MEDIUM |
|
The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete functionality. Third-party Android keyboards that capture the password may store this password in cleartext, or transmit the password to third-party services for keyboard customization purposes. A compromise of any datastore that contains keyboard autocompletion caches would result in the d ...
Show More |
|||||
| CVE-2019-7300 | 1 Articatech | 1 Artica Proxy | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
Artica Proxy 3.06.200056 allows remote attackers to execute arbitrary commands as root by reading the ressources/settings.inc ldap_admin and ldap_password fields, using these credentials at logon.php, and then entering the commands in the admin.index.php command-line field.
|
|||||
| CVE-2019-7271 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Nortek Linear eMerge 50P/5000P devices have Default Credentials.
|
|||||
| CVE-2019-7260 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Linear eMerge E3-Series devices have Cleartext Credentials in a Database.
|
|||||
| CVE-2019-6700 | 1 Fortinet | 1 Fortisiem | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An information exposure vulnerability in the external authentication profile form of FortiSIEM 5.2.2 and earlier may allow an authenticated attacker to retrieve the external authentication password via the HTML source code.
|
|||||
| CVE-2019-6609 | 1 F5 | 37 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 34 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) versions 14.0.0-14.1.0.1, 13.0.0-13.1.1.3, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additional ...
Show More |
|||||
| CVE-2019-6567 | 1 Siemens | 8 Scalance X-200, Scalance X-200 Firmware, Scalance X-200irt and 5 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions < V5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3), SCALANCE X-414-3E (All versions). The affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation ...
Show More |
|||||
| CVE-2019-6549 | 1 Kunbus | 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) through FTP.
|
|||||
| CVE-2019-6525 | 1 Aveva | 1 Wonderware System Platform | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account.
|
|||||
| CVE-2019-6452 | 1 Kyocera | 3 Command Center Rx, Taskalfa 4501i, Taskalfa 5052ci | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password.
|
|||||
| CVE-2019-6024 | 1 Rakuten | 1 Rakuma | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Rakuma App for Android version 7.15.0 and earlier, and for iOS version 7.16.4 and earlier allows an attacker to bypass authentication and obtain the user's authentication information via a malicious application created by the third party.
|
|||||
| CVE-2019-5990 | 1 Anglers-net | 1 Cgi An-anlyzer | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allow remote attackers to obtain a login password via HTTP referer.
|
|||||
| CVE-2019-5723 | 1 Portier | 1 Portier | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Passwords are stored using reversible encryption rather than as a hash value, and the used Vigenere algorithm is badly outdated. Moreover, the encryption key is static and too short. Due to this, the passwords stored by the application can be easily decrypted.
|
|||||
| CVE-2019-5648 | 1 Barracuda | 2 Load Balancer Adc, Load Balancer Adc Firmware | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network.
|
|||||
| CVE-2019-5627 | 1 Bluecats | 1 Bc Reveal | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.
|
|||||
| CVE-2019-5626 | 1 Bluecats | 1 Bluecats Reveal | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
|
|||||
| CVE-2019-5625 | 1 Eaton | 1 Halo Home | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the And ...
Show More |
|||||
| CVE-2019-5615 | 1 Rapid7 | 1 Insightvm | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
|
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49.
|
|||||
| CVE-2019-5534 | 1 Vmware | 1 Vcenter Server | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
|
VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
|
|||||
| CVE-2019-5505 | 1 Netapp | 1 Ontap Select Deploy Administration Utility | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 transmit credentials in plaintext.
|
|||||
| CVE-2019-4724 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID: 172130.
|
|||||
| CVE-2019-4723 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force ID: 172129.
|
|||||
| CVE-2019-4697 | 1 Ibm | 2 Guardium Data Encryption, Guardium For Cloud Key Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 171938.
|
|||||
| CVE-2019-4693 | 1 Ibm | 2 Guardium Data Encryption, Guardium For Cloud Key Management | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
|
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by a local privileged user. IBM X-Force ID: 171831.
|
|||||
| CVE-2019-4668 | 1 Ibm | 1 Urbancode Deploy | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
IBM UrbanCode Deploy (UCD) 7.0.4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171250.
|
|||||