Total
541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41639 | 1 Melag | 1 Ftp Server | 2022-07-01 | 2.1 LOW | 5.5 MEDIUM |
| MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file. | |||||
| CVE-2017-20040 | 1 Sicunet | 1 Access Control | 2022-06-17 | 2.1 LOW | 5.5 MEDIUM |
| A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement. | |||||
| CVE-2020-6648 | 1 Fortinet | 2 Fortios, Fortiproxy | 2022-06-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command. | |||||
| CVE-2022-23236 | 1 Netapp | 1 E-series Santricity Os Controller | 2022-06-11 | 2.1 LOW | 4.4 MEDIUM |
| E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users. | |||||
| CVE-2022-31004 | 1 Mitre | 1 Cve-services | 2022-06-10 | 5.0 MEDIUM | 7.5 HIGH |
| CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch. | |||||
| CVE-2022-25160 | 1 Mitsubishielectric | 32 Fx5uc, Fx5uc-32mr\/ds-ts, Fx5uc-32mr\/ds-ts Firmware and 29 more | 2022-06-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user’s system. | |||||
| CVE-2022-25158 | 1 Mitsubishielectric | 32 Fx5uc, Fx5uc-32mr\/ds-ts, Fx5uc-32mr\/ds-ts Firmware and 29 more | 2022-06-02 | 6.4 MEDIUM | 9.1 CRITICAL |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext. | |||||
| CVE-2022-22484 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect, Linux Kernel and 1 more | 2022-05-25 | 2.1 LOW | 5.5 MEDIUM |
| IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history. By accessing browser history, an attacker could exploit this vulnerability to obtain other user accounts' passwords. IBM X-Force ID: 226322. | |||||
| CVE-2022-28214 | 1 Sap | 2 Businessobjects, Businessobjects Business Intelligence | 2022-05-19 | 4.6 MEDIUM | 7.8 HIGH |
| During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability. | |||||
| CVE-2022-29868 | 1 1password | 1 1password | 2022-05-18 | 2.1 LOW | 5.5 MEDIUM |
| 1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password. | |||||
| CVE-2022-28162 | 1 Broadcom | 1 Sannav | 2022-05-17 | 2.1 LOW | 3.3 LOW |
| Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text. | |||||
| CVE-2022-26148 | 2 Grafana, Redhat | 3 Grafana, Ceph Storage, Storage | 2022-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. | |||||
| CVE-2019-15947 | 1 Bitcoin | 1 Bitcoin Core | 2022-05-03 | 5.0 MEDIUM | 7.5 HIGH |
| In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command. | |||||
| CVE-2021-39078 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2022-04-27 | 2.1 LOW | 4.4 MEDIUM |
| IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215589. | |||||
| CVE-2022-0835 | 1 Aveva | 1 System Platform | 2022-04-18 | 1.9 LOW | 5.5 MEDIUM |
| AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user. | |||||
| CVE-2016-0876 | 1 Moxa | 2 Edr-g903, Edr-g903 Firmware | 2022-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attackers to discover cleartext passwords by reading a configuration file. | |||||
| CVE-2018-1882 | 5 Apple, Ibm, Linux and 2 more | 7 Macos, Aix, Spectrum Protect Backup-archive Client and 4 more | 2022-04-11 | 1.9 LOW | 4.7 MEDIUM |
| In a certain atypical IBM Spectrum Protect 7.1 and 8.1 configurations, the node password could be displayed in plain text in the IBM Spectrum Protect client trace file. IBM X-Force ID: 151968. | |||||
| CVE-2020-11694 | 2 Jetbrains, Microsoft | 2 Pycharm, Windows | 2022-04-06 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3. | |||||
| CVE-2021-45491 | 1 3cx | 1 3cx | 2022-03-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| 3CX System through 2022-03-17 stores cleartext passwords in a database. | |||||
| CVE-2021-41090 | 1 Grafana | 1 Agent | 2022-03-31 | 4.3 MEDIUM | 7.5 HIGH |
| Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API. | |||||