Total
88 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21253 | 1 Onlinevotingsystem Project | 1 Onlinevotingsystem | 2022-10-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system. | |||||
| CVE-2022-24041 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2022-10-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users. | |||||
| CVE-2022-36071 | 1 Sftpgo Project | 1 Sftpgo | 2022-09-09 | N/A | 8.1 HIGH |
| SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. | |||||
| CVE-2021-37551 | 1 Jetbrains | 1 Youtrack | 2022-07-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256. | |||||
| CVE-2021-38979 | 3 Ibm, Linux, Microsoft | 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. IBM X-Force ID: 212785. | |||||
| CVE-2021-32997 | 1 Bakerhughes | 10 Bentley Nevada 3500\/22m \(288055-01\), Bentley Nevada 3500\/22m \(288055-01\) Firmware, Bentley Nevada 3500 Rack Configuration \(129133-01\) and 7 more | 2022-06-14 | 5.0 MEDIUM | 7.5 HIGH |
| The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access. | |||||
| CVE-2022-29731 | 1 Ict | 4 Protege Gx, Protege Gx Firmware, Protege Wx and 1 more | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| An access control issue in ICT Protege GX/WX 2.08 allows attackers to leak SHA1 password hashes of other users. | |||||
| CVE-2020-16231 | 1 Bachmann | 40 Cpc210, Cpc210 Firmware, Cs200 and 37 more | 2022-06-08 | 6.5 MEDIUM | 8.8 HIGH |
| The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks. | |||||
| CVE-2022-23348 | 1 Bigantsoft | 1 Bigant Server | 2022-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes. | |||||
| CVE-2021-26113 | 1 Fortinet | 1 Fortiwan | 2022-04-13 | 5.0 MEDIUM | 7.5 HIGH |
| A use of a one-way hash with a predictable salt vulnerability [CWE-760] in FortiWAN before 4.5.9 may allow an attacker who has previously come in possession of the password file to potentially guess passwords therein stored. | |||||
| CVE-2022-1235 | 1 Livehelperchat | 1 Live Helper Chat | 2022-04-13 | 6.4 MEDIUM | 8.2 HIGH |
| Weak secrethash can be brute-forced in GitHub repository livehelperchat/livehelperchat prior to 3.96. | |||||
| CVE-2022-0022 | 1 Paloaltonetworks | 1 Pan-os | 2022-03-12 | 4.6 MEDIUM | 4.4 MEDIUM |
| Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7. | |||||
| CVE-2019-3907 | 1 Identicard | 1 Premisys Id | 2021-11-02 | 5.0 MEDIUM | 7.5 HIGH |
| Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password). | |||||
| CVE-2021-38400 | 1 Bostonscientific | 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware | 2021-10-13 | 4.6 MEDIUM | 6.8 MEDIUM |
| An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password. | |||||
| CVE-2021-32519 | 1 Qsan | 3 Sanos, Storage Manager, Xevo | 2021-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| Use of password hash with insufficient computational effort vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to recover the plain-text password by brute-forcing the MD5 hash. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.2, QSAN XEVO v2.1.0, and QSAN SANOS v2.1.0. | |||||
| CVE-2021-33003 | 1 Deltaww | 1 Diaenergie | 2021-09-03 | 2.1 LOW | 5.5 MEDIUM |
| Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve passwords in cleartext due to a weak hashing algorithm. | |||||
| CVE-2021-32596 | 1 Fortinet | 1 Fortiportal | 2021-08-10 | 5.0 MEDIUM | 7.5 HIGH |
| A use of one-way hash with a predictable salt vulnerability in the password storing mechanism of FortiPortal 6.0.0 through 6.04 may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables. | |||||
| CVE-2021-22774 | 1 Schneider-electric | 12 Evlink City Evc1s22p4, Evlink City Evc1s22p4 Firmware, Evlink City Evc1s7p4 and 9 more | 2021-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-759: Use of a One-Way Hash without a Salt vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) that could lead an attacker to get knowledge of charging station user account credentials using dictionary attacks techniques. | |||||
| CVE-2019-9080 | 1 Domainmod | 1 Domainmod | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| DomainMOD before 4.14.0 uses MD5 without a salt for password storage. | |||||
| CVE-2019-7649 | 1 Cmswing | 1 Cmswing | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies on multiple MD5 operations for password hashing. | |||||