Vulnerabilities (CVE)

Filtered by CWE-312
Total 577 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-20219 1 Google 1 Android 2024-11-21 2.1 LOW 5.5 MEDIUM
In multiple functions of StorageManagerService.java and UserManagerService.java, there is a possible way to leave user's directories unencrypted due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224585613
CVE-2022-0835 1 Aveva 1 System Platform 2024-11-21 1.9 LOW 8.1 HIGH
AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user.
CVE-2021-45491 1 3cx 1 3cx 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
3CX System through 2022-03-17 stores cleartext passwords in a database.
CVE-2021-45077 1 Netgear 2 R6700, R6700 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
Netgear Nighthawk R6700 version 1.0.4.120 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device.
CVE-2021-45025 1 Rocketsoftware 1 Ags-zena 2024-11-21 5.0 MEDIUM 7.5 HIGH
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.
CVE-2021-43590 1 Dell 1 Enterprise Storage Analytics 2024-11-21 3.6 LOW 6.0 MEDIUM
Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. A local high privileged malicious user may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
CVE-2021-43388 1 Unisys 1 Cargo Mobile 2024-11-21 4.3 MEDIUM 7.5 HIGH
Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. The issue is addressed by ensuring that the allowBackup flag (in the manifest) is False.
CVE-2021-42763 1 Couchbase 1 Couchbase Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
CVE-2021-42642 1 Printerlogic 1 Web Stack 2024-11-21 5.0 MEDIUM 7.5 HIGH
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer.
CVE-2021-42370 1 Xorux 2 Lpar2rrd, Stor2rrd 2024-11-21 4.3 MEDIUM 7.5 HIGH
A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)
CVE-2021-42066 1 Sap 1 Business One 2024-11-21 3.5 LOW 4.4 MEDIUM
SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able to completely compromise confidentiality, integrity, and availability of the application.
CVE-2021-41639 1 Melag 1 Ftp Server 2024-11-21 2.1 LOW 5.5 MEDIUM
MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.
CVE-2021-41302 1 Ecoa 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more 2024-11-21 5.0 MEDIUM 7.3 HIGH
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
CVE-2021-41090 1 Grafana 1 Agent 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API.
CVE-2021-40527 1 Onepeloton 1 Peloton 2024-11-21 5.0 MEDIUM 8.6 HIGH
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.
CVE-2021-40454 1 Microsoft 11 365 Apps, Office, Windows 10 and 8 more 2024-11-21 2.1 LOW 5.5 MEDIUM
Rich Text Edit Control Information Disclosure Vulnerability
CVE-2021-40087 1 Primekey 1 Ejbca 2024-11-21 4.0 MEDIUM 2.7 LOW
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.
CVE-2021-3585 1 Openstack 1 Tripleo Heat Templates 2024-11-21 N/A 5.5 MEDIUM
A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager.
CVE-2021-3551 4 Dogtagpki, Fedoraproject, Oracle and 1 more 12 Dogtagpki, Fedora, Linux and 9 more 2024-11-21 4.4 MEDIUM 7.8 HIGH
A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.
CVE-2021-3473 1 Lenovo 38 Thinkagile Hx1320, Thinkagile Hx2320, Thinkagile Hx3320 and 35 more 2024-11-21 4.0 MEDIUM 4.5 MEDIUM
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.