Vulnerabilities (CVE)

Filtered by CWE-312
Total 573 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21339 1 Typo3 1 Typo3 2024-02-28 5.0 MEDIUM 7.5 HIGH
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
CVE-2020-4189 2 Ibm, Linux 2 Security Guardium, Linux Kernel 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
IBM Security Guardium 11.2 discloses sensitive information in the response headers that could be used in further attacks against the system. IBM X-Force ID: 174850.
CVE-2021-27178 1 Fiberhome 2 Hg6245d, Hg6245d Firmware 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered on FiberHome HG6245D devices through RP2613. Some passwords are stored in cleartext in nvram.
CVE-2020-29001 1 Merkuryinnovations 8 Geeni Gnc-cw025, Geeni Gnc-cw025 Firmware, Geeni Gnc-cw028 and 5 more 2024-02-28 6.5 MEDIUM 7.2 HIGH
An issue was discovered on Geeni GNC-CW028 Camera 2.7.2, Geeni GNC-CW025 Doorbell 2.9.5, Merkury MI-CW024 Doorbell 2.9.6, and Merkury MI-CW017 Camera 2.9.6 devices. A vulnerability exists in the RESTful Services API that allows a remote attacker to take full control of the camera with a high-privileged account. The vulnerability exists because a static username and password are compiled into the ppsapp RESTful application.
CVE-2020-29489 1 Dell 3 Emc Unity Operating Environment, Emc Unity Vsa Operating Environment, Emc Unity Xt Operating Environment 2024-02-28 4.6 MEDIUM 6.7 MEDIUM
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user.
CVE-2021-20358 1 Ibm 1 Cloud Pak For Automation 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files. IBM X-Force ID: 194965.
CVE-2020-25677 2 Ceph, Redhat 2 Ceph-ansible, Ceph Storage 2024-02-28 2.1 LOW 5.5 MEDIUM
A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality.
CVE-2020-24577 1 Dlink 2 Dsl-2888a, Dsl-2888a Firmware 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI.
CVE-2021-27176 1 Fiberhome 2 Hg6245d, Hg6245d Firmware 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions.
CVE-2020-26816 1 Sap 1 Netweaver Application Server Java 2024-02-28 2.7 LOW 4.5 MEDIUM
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems.
CVE-2020-26228 1 Typo3 1 Typo3 2024-02-28 5.0 MEDIUM 7.5 HIGH
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.
CVE-2020-26551 1 Aviatrix 1 Controller 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file.
CVE-2020-35658 1 Titanhq 1 Spamtitan 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted.
CVE-2020-35455 1 Taidii 1 Diibear 2024-02-28 2.1 LOW 7.8 HIGH
The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to obtain user credentials from Shared Preferences and the SQLite database because of insecure data storage.
CVE-2019-4687 1 Ibm 1 Security Guardium Data Encrpytion 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 171823.
CVE-2020-29502 1 Dell 2 Emc Powerstore, Emc Powerstore Firmware 2024-02-28 4.6 MEDIUM 6.7 MEDIUM
Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
CVE-2020-26288 1 Parseplatform 1 Parse-server 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
CVE-2021-22300 1 Huawei 2 Ecns280 Td, Ecns280 Td Firmware 2024-02-28 1.9 LOW 4.1 MEDIUM
There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods.
CVE-2020-29550 1 Urve 1 Urve 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration files as well as in the database. The following files contain the password in cleartext: Profiles/urve/files/sql_db.backup, Server/data/pg_wal/000000010000000A000000DD, Server/data/base/16384/18617, and Server/data/base/17202/8708746. This causes the password to be displayed as cleartext in the HTML code as roomsreservationimport_password in /urve/roomsreservationimport/roomsreservationimport/update-HTML5.
CVE-2020-12859 1 Health 1 Covidsafe 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations.