Total
577 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-29550 | 1 Urve | 1 Urve | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration files as well as in the database. The following files contain the password in cleartext: Profiles/urve/files/sql_db.backup, Server/data/pg_wal/000000010000000A000000DD, Server/data/base/16384/18617, and Server/data/base/17202/8708746. This causes the password to be displayed as cleartext in the HTML code as roomsreservationimport_password in /urve/roomsreservationimport/roomsreservationimport/update-HTML5. | |||||
CVE-2020-29502 | 1 Dell | 2 Emc Powerstore, Emc Powerstore Firmware | 2024-11-21 | 4.6 MEDIUM | 7.5 HIGH |
Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
CVE-2020-29501 | 1 Dell | 2 Emc Powerstore, Emc Powerstore Firmware | 2024-11-21 | 4.6 MEDIUM | 6.4 MEDIUM |
Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
CVE-2020-29500 | 1 Dell | 2 Emc Powerstore, Emc Powerstore Firmware | 2024-11-21 | 4.6 MEDIUM | 7.5 HIGH |
Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
CVE-2020-29489 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Vsa Operating Environment, Emc Unity Xt Operating Environment | 2024-11-21 | 4.6 MEDIUM | 6.4 MEDIUM |
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user. | |||||
CVE-2020-29324 | 1 Dlink | 2 Dir-895l Mfc, Dir-895l Mfc Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The DLink Router DIR-895L MFC v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | |||||
CVE-2020-29001 | 1 Merkuryinnovations | 8 Geeni Gnc-cw025, Geeni Gnc-cw025 Firmware, Geeni Gnc-cw028 and 5 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered on Geeni GNC-CW028 Camera 2.7.2, Geeni GNC-CW025 Doorbell 2.9.5, Merkury MI-CW024 Doorbell 2.9.6, and Merkury MI-CW017 Camera 2.9.6 devices. A vulnerability exists in the RESTful Services API that allows a remote attacker to take full control of the camera with a high-privileged account. The vulnerability exists because a static username and password are compiled into the ppsapp RESTful application. | |||||
CVE-2020-28917 | 1 View Frontend Statistics Project | 1 View Frontend Statistics | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved. | |||||
CVE-2020-27986 | 1 Sonarsource | 1 Sonarqube | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it. | |||||
CVE-2020-27613 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.6 MEDIUM | 8.4 HIGH |
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | |||||
CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 2.7 LOW | 4.5 MEDIUM |
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
CVE-2020-26551 | 1 Aviatrix | 1 Controller | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file. | |||||
CVE-2020-26288 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage. | |||||
CVE-2020-26228 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
CVE-2020-25677 | 2 Ceph, Redhat | 2 Ceph-ansible, Ceph Storage | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality. | |||||
CVE-2020-24577 | 1 Dlink | 2 Dsl-2888a, Dsl-2888a Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI. | |||||
CVE-2020-23249 | 1 Gigamon | 1 Gigavue-os | 2024-11-21 | 4.0 MEDIUM | 4.7 MEDIUM |
GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext. | |||||
CVE-2020-22783 | 1 Etherpad | 1 Etherpad | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad. | |||||
CVE-2020-22741 | 1 Baidu | 1 Xuperchain | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature. | |||||
CVE-2020-19137 | 1 Autumn Project | 1 Autumn | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Incorrect Access Control in Autumn v1.0.4 and earlier allows remote attackers to obtain clear-text login credentials via the component "autumn-cms/user/getAllUser/?page=1&limit=10". |