Total
1286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16672 | 1 Weidmueller | 80 Ie-sw-pl08m-6tx-2sc, Ie-sw-pl08m-6tx-2sc Firmware, Ie-sw-pl08m-6tx-2scs and 77 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext.
|
|||||
| CVE-2019-16649 | 1 Supermicro | 672 A1sa2-2750f, A1sa2-2750f Firmware, A1sai-2550f and 669 more | 2024-11-21 | 5.0 MEDIUM | 10.0 CRITICAL |
|
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
|
|||||
| CVE-2019-16572 | 1 Jenkins | 1 Weibo | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
|
|||||
| CVE-2019-16557 | 1 Jenkins | 1 Redgate Sql Change Automation | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
|
|||||
| CVE-2019-16556 | 1 Jenkins | 1 Rundeck | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
|
|||||
| CVE-2019-16544 | 1 Qmetry | 1 Jenkins Qmetry For Jira | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
|
|||||
| CVE-2019-16543 | 1 Jenkins | 1 Spira Importer | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
|
|||||
| CVE-2019-16542 | 1 Jenkins | 1 Anchore Container Image Scanner | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
|
|||||
| CVE-2019-16211 | 1 Broadcom | 1 Brocade Sannav | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Brocade SANnav versions before v2.1.0, contain a Plaintext Password Storage vulnerability.
|
|||||
| CVE-2019-16067 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over cleartext protocols can allow an attacker to steal username and password combinations by intercepting authentication traffic in transit.
|
|||||
| CVE-2019-15656 | 1 Dlink | 4 Dsl-2875al, Dsl-2875al Firmware, Dsl-2877al and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.
|
|||||
| CVE-2019-15655 | 1 Dlink | 2 Dsl-2875al, Dsl-2875al Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn't require any authentication and will lead to saving the configuration file. The password is stored in cleartext.
|
|||||
| CVE-2019-15653 | 1 Comba | 2 Ap2600-i - A02 - 0202n00pd2, Ap2600-i - A02 - 0202n00pd2 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. The HTML source code of the login page contains values that allow obtaining the username and password. The username are password values are a double md5 of the plaintext real value, i.e., md5(md5(value)).
|
|||||
| CVE-2019-15635 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" ...
Show More |
|||||
| CVE-2019-15052 | 1 Gradle | 1 Gradle | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
|
|||||
| CVE-2019-14929 | 2 Inea, Mitsubishielectric | 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.
|
|||||
| CVE-2019-14709 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
A cleartext password storage issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The file in question is /usr/local/ipsca/mipsca.db. If a camera is compromised, the attacker can gain access to passwords and abuse them to compromise further systems.
|
|||||
| CVE-2019-14480 | 1 Adremsoft | 1 Netcrunch | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.
|
|||||
| CVE-2019-14477 | 1 Adremsoft | 1 Netcrunch | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted.
|
|||||
| CVE-2019-13421 | 1 Search-guard | 1 Search Guard | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.
|
|||||
| CVE-2019-13400 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info.
|
|||||
| CVE-2019-13394 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
|
|||||
| CVE-2019-13349 | 1 Knowage-suite | 1 Knowage | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
In Knowage through 6.1.1, an authenticated user that accesses the users page will obtain all user password hashes.
|
|||||
| CVE-2019-13348 | 1 Eng | 1 Knowage | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.
|
|||||
| CVE-2019-13179 | 1 Calamares | 1 Calamares | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
|
|||||
| CVE-2019-13054 | 1 Logitech | 2 R500, R500 Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
|
|||||
| CVE-2019-13023 | 1 Jetstream | 1 Jetselect | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in all versions of Bond JetSelect. Within the JetSelect Application, the web interface hides RADIUS secrets, WPA passwords, and SNMP strings from 'non administrative' users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.
|
|||||
| CVE-2019-12847 | 1 Jetbrains | 1 Hub | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
|
|||||
| CVE-2019-12452 | 1 Traefik | 1 Traefik | 2024-11-21 | 3.5 LOW | 7.5 HIGH |
|
types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.
|
|||||
| CVE-2019-12423 | 2 Apache, Oracle | 8 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 5 more | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs ...
Show More |
|||||
| CVE-2019-12171 | 1 Dropbox | 1 Dropbox | 2024-11-21 | 4.3 MEDIUM | 7.8 HIGH |
|
Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.
|
|||||
| CVE-2019-11885 | 1 Eye-disk | 1 Eyedisk | 2024-11-21 | 2.1 LOW | 6.8 MEDIUM |
|
eyeDisk implements the unlock feature by sending a cleartext password. The password can be discovered by sniffing USB traffic or by sending a 06 05 52 41 01 b0 00 00 00 00 00 00 SCSI command.
|
|||||
| CVE-2019-11820 | 1 Synology | 1 Calendar | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
|
|||||
| CVE-2019-11769 | 1 Teamviewer | 1 Teamviewer | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
An issue was discovered in TeamViewer 14.2.2558. Updating the product as a non-administrative user requires entering administrative credentials into the GUI. Subsequently, these credentials are processed in Teamviewer.exe, which allows any application running in the same non-administrative user context to intercept them in cleartext within process memory. By using this technique, a local attacker is able to obtain administrative credentials in order to elevate privileges. This vulnerability can ...
Show More |
|||||
| CVE-2019-11686 | 1 Westerndigital | 118 Sandisk X300 Sd7sb6s-128g, Sandisk X300 Sd7sb6s-128g Firmware, Sandisk X300 Sd7sb6s-256g and 115 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
Western Digital SanDisk X300, X300s, X400, and X600 devices: A vulnerability in the wear-leveling algorithm of the drive may cause cryptographically sensitive parameters (such as data encryption keys) to remain on the drive media after their intended erasure.
|
|||||
| CVE-2019-11664 | 1 Microfocus | 1 Service Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure.
|
|||||
| CVE-2019-11663 | 1 Microfocus | 1 Service Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure.
|
|||||
| CVE-2019-11402 | 1 Gradle | 1 Enterprise | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
|
|||||
| CVE-2019-11369 | 1 Carel | 2 Pcoweb Card, Pcoweb Card Firmware | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.
|
|||||
| CVE-2019-11367 | 1 Auo | 1 Solar Data Recorder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully.
|
|||||