Total
1020 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46155 | 1 Airtable | 1 Airtable | 2023-07-07 | N/A | 6.4 MEDIUM |
| Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code. | |||||
| CVE-2023-36476 | 1 Nixos | 1 Calamares-nixos-extensions | 2023-07-07 | N/A | 5.5 MEDIUM |
| calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted `/boot`, on either non-UEFI systems or with a LUKS partition different from `/` have their LUKS key file in `/boot` as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves. | |||||
| CVE-2023-28857 | 1 Apereo | 1 Central Authentication Service | 2023-07-06 | N/A | 7.5 HIGH |
| Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2020-18406 | 1 Cmseasy | 1 Cmseasy | 2023-07-05 | N/A | 7.5 HIGH |
| An issue was discovered in cmseasy v7.0.0 that allows user credentials to be sent in clear text due to no encryption of form data. | |||||
| CVE-2021-28498 | 1 Arista | 2 7130, Metamako Operating System | 2023-06-30 | 7.2 HIGH | 7.8 HIGH |
| In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, user enable passwords set in clear text could result in unprivileged users getting complete access to the systems. This issue affects: Arista Metamako Operating System MOS-0.13 and post releases in the MOS-0.1x train MOS-0.26.6 and prior releases in the MOS-0.2x train MOS-0.31.1 and prior releases in the MOS-0.3x train | |||||
| CVE-2022-31085 | 2 Debian, Ldap-account-manager | 2 Debian Linux, Ldap Account Manager | 2023-06-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. | |||||
| CVE-2020-11560 | 1 Nchsoftware | 1 Express Invoice | 2023-06-27 | 2.1 LOW | 7.8 HIGH |
| NCH Express Invoice 7.25 allows local users to discover the cleartext password by reading the configuration file. | |||||
| CVE-2022-1794 | 2 Codesys, Microsoft | 2 Opc Da Server, Windows | 2023-06-27 | 4.7 MEDIUM | 5.5 MEDIUM |
| The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system. | |||||
| CVE-2023-35789 | 1 Rabbitmq-c Project | 1 Rabbitmq-c | 2023-06-26 | N/A | 5.5 MEDIUM |
| An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. | |||||
| CVE-2022-47376 | 1 Bd | 1 Alaris Infusion Central | 2023-06-24 | N/A | 7.3 HIGH |
| The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data. | |||||
| CVE-2023-33620 | 1 Gl-inet | 2 Gl-ar750s, Gl-ar750s Firmware | 2023-06-23 | N/A | 5.9 MEDIUM |
| GL.iNET GL-AR750S-Ext firmware v3.215 uses an insecure protocol in its communications which allows attackers to eavesdrop via a man-in-the-middle attack. | |||||
| CVE-2023-0457 | 1 Mitsubishielectric | 76 Fx5-enet, Fx5-enet\/ip, Fx5-enet\/ip Firmware and 73 more | 2023-06-21 | N/A | 7.5 HIGH |
| Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series, MELSEC iQ-R Series, MELSEC-Q Series and MELSEC-L Series allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server. | |||||
| CVE-2023-29168 | 1 Ptc | 1 Vuforia Studio | 2023-06-16 | N/A | 7.5 HIGH |
| The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. | |||||
| CVE-2023-30776 | 1 Apache | 1 Superset | 2023-06-15 | N/A | 6.5 MEDIUM |
| An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. | |||||
| CVE-2023-27126 | 1 Tp-link | 2 Tapo C200, Tapo C200 Firmware | 2023-06-12 | N/A | 4.6 MEDIUM |
| The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim. | |||||
| CVE-2023-22862 | 1 Ibm | 2 Aspera Cargo, Aspera Connect | 2023-06-09 | N/A | 7.5 HIGH |
| IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. IBM X-Force ID: 244107. | |||||
| CVE-2023-32687 | 1 Tgstation13 | 1 Tgstation-server | 2023-06-06 | N/A | 6.5 MEDIUM |
| tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround, remove the list chat bots permission from users that should not have the ability to view connection strings. Invalidate any credentials previously stored for safety. | |||||
| CVE-2023-31187 | 1 Avaya | 1 Ix Workforce Engagement | 2023-06-02 | N/A | 6.5 MEDIUM |
| Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials | |||||
| CVE-2023-33264 | 1 Hazelcast | 1 Hazelcast | 2023-06-02 | N/A | 4.3 MEDIUM |
| In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets. | |||||
| CVE-2023-33263 | 1 Wftpd Project | 1 Wftpd | 2023-06-01 | N/A | 7.5 HIGH |
| In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006. | |||||