Total
1286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4508 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429.
|
|||||
| CVE-2019-4385 | 1 Ibm | 1 Spectrum Protect Plus | 2024-11-21 | 2.1 LOW | 6.5 MEDIUM |
|
IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password in the IBM Spectrum Protect Plus Joblog. This can result in an attacker gaining access to sensitive information as well as vSnap. IBM X-Force ID: 162173.
|
|||||
| CVE-2019-4335 | 1 Ibm | 1 Watson Studio Local | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
IBM Watson Studio Local 1.2.3 stores key files in the user's home directory which could be obtained by another local user. IBM X-Force ID: 161413.
|
|||||
| CVE-2019-4307 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 160987.
|
|||||
| CVE-2019-4239 | 2 Ibm, Redhat | 2 Cloud Private, Openshift | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
IBM MQ Advanced Cloud Pak (IBM Cloud Private 1.0.0 through 3.0.1) stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 159465.
|
|||||
| CVE-2019-4138 | 1 Ibm | 1 Spectrum Control | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334.
|
|||||
| CVE-2019-4059 | 1 Ibm | 1 Rational Clearcase | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. An attacker could obtain the password and gain unauthorized access to the document database. IBM X-Force ID: 156583.
|
|||||
| CVE-2019-3947 | 1 Fujielectric | 1 V-server | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Fuji Electric V-Server before 6.0.33.0 stores database credentials in project files as plaintext. An attacker that can gain access to the project file can recover the database credentials and gain access to the database server.
|
|||||
| CVE-2019-3942 | 1 Advantech | 1 Webaccess | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password.
|
|||||
| CVE-2019-3938 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords.
|
|||||
| CVE-2019-3800 | 27 Anynines, Apigee, Appdynamics and 24 more | 55 Elasticsearch, Logme, Mongodb and 52 more | 2024-11-21 | 2.1 LOW | 6.3 MEDIUM |
|
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.
|
|||||
| CVE-2019-3782 | 1 Cloudfoundry | 1 Credhub Cli | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
|
Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.
|
|||||
| CVE-2019-3780 | 1 Cloudfoundry | 1 Container Runtime | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account.
|
|||||
| CVE-2019-3753 | 1 Dell | 12 Emc Powerconnect 7000, Emc Powerconnect 7000 Firmware, Emc Powerconnect 8024 and 9 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K running firmware versions prior to 5.1.15.2 contain a plain-text password storage vulnerability. TACACS\Radius credentials are stored in plain text in the system settings menu. An authenticated malicious user with access to the system settings menu may obtain the exposed password to use it in further attacks.
|
|||||
| CVE-2019-3663 | 1 Mcafee | 1 Advanced Threat Defense | 2024-11-21 | 2.1 LOW | 9.8 CRITICAL |
|
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system. This was originally published with a CVSS rating of High, further investigation has resulted in this being updated to Critical. The root password is common across all instances of ATD prior to 4.8. See the Security bulletin for further details
|
|||||
| CVE-2019-3431 | 1 Zte | 1 Zxcloud Goldendata Vap | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers could sniff unencrypted account and password through the network for front-end system access.
|
|||||
| CVE-2019-25030 | 1 Versa-networks | 3 Versa Analytics, Versa Director, Versa Operating System | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algo ...
Show More |
|||||
| CVE-2019-20047 | 1 Al-enterprise | 2 Omnivista 4760, Omnivista 8770 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>.
|
|||||
| CVE-2019-1384 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages.To exploit this vulnerability, an attacker could send a specially crafted authentication request, aka 'Microsoft Windows Security Feature Bypass Vulnerability'.
|
|||||
| CVE-2019-19898 | 1 Ixpdata | 1 Easyinstall | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely.
|
|||||
| CVE-2019-19890 | 1 Humaxdigital | 2 Hgb10r-02, Hgb10r-02 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP.
|
|||||
| CVE-2019-19843 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.
|
|||||
| CVE-2019-19823 | 11 Ciktel, Coship, Fg-products and 8 more | 36 Mesh Router, Mesh Router Firmware, Emta Ap and 33 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wire ...
Show More |
|||||
| CVE-2019-19696 | 1 Trendmicro | 1 Password Manager | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites.
|
|||||
| CVE-2019-19687 | 1 Openstack | 1 Keystone | 2024-11-21 | 3.5 LOW | 8.8 HIGH |
|
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the li ...
Show More |
|||||
| CVE-2019-19539 | 1 Hp | 3 Web Viewpoint T0320, Web Viewpoint T0952, Web Viewpoint T0986 | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in Idelji Web ViewPoint H01ABO-H01BY and L01ABP-L01ABZ, Web ViewPoint Plus H01AAG-H01AAQ and L01AAH-L01AAR, and Web ViewPoint Enterprise H01-H01AAE and L01-L01AAF. By reading ADB or AADB file content within the Installation subvolume, a Guardian user can discover the password of the group.user or alias who acknowledges events from the WVP Events screen.
|
|||||
| CVE-2019-19310 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.
|
|||||
| CVE-2019-19218 | 1 Bmcsoftware | 1 Control-m\/agent | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage.
|
|||||
| CVE-2019-19119 | 1 Paessler | 1 Prtg Network Monitor | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in PRTG 7.x through 19.4.53. Due to insufficient access control on local registry keys for the Core Server Service, a non-administrative user on the local machine is able to access administrative credentials.
|
|||||
| CVE-2019-19105 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
The backup function in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway saves the current settings and configuration of the application, including credentials of existing user accounts and other configuration's credentials in plaintext.
|
|||||
| CVE-2019-19096 | 1 Hitachienergy | 1 Esoms | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
|
The Redis data structure component used in ABB eSOMS versions 6.0 to 6.0.2 stores credentials in clear text. If an attacker has file system access, this can potentially compromise the credentials' confidentiality.
|
|||||
| CVE-2019-18868 | 1 Blaauwproducts | 1 Remote Kiln Control | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak.
|
|||||
| CVE-2019-18785 | 1 Suitecrm | 1 Suitecrm | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 mishandles API access tokens and credentials.
|
|||||
| CVE-2019-18615 | 1 Arista | 1 Cloudvision Portal | 2024-11-21 | 3.5 LOW | 4.9 MEDIUM |
|
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible fro ...
Show More |
|||||
| CVE-2019-18572 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain an Improper Authentication vulnerability. A Java JMX agent running on the remote host is configured with plain text password authentication. An unauthenticated remote attacker can connect to the JMX agent and monitor and manage the Java application.
|
|||||
| CVE-2019-18256 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit.
|
|||||
| CVE-2019-17662 | 1 Cybelsoft | 1 Thinvnc | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
|
|||||
| CVE-2019-17393 | 1 Tomedo | 1 Server | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password.
|
|||||
| CVE-2019-17356 | 1 Infinitestudio | 1 Infinite Design | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
|
|||||
| CVE-2019-16673 | 1 Weidmueller | 80 Ie-sw-pl08m-6tx-2sc, Ie-sw-pl08m-6tx-2sc Firmware, Ie-sw-pl08m-6tx-2scs and 77 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Passwords are stored in cleartext and can be read by anyone with access to the device.
|
|||||