Total
573 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-21339 | 1 Typo3 | 1 Typo3 | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | |||||
CVE-2020-4189 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Security Guardium 11.2 discloses sensitive information in the response headers that could be used in further attacks against the system. IBM X-Force ID: 174850. | |||||
CVE-2021-27178 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on FiberHome HG6245D devices through RP2613. Some passwords are stored in cleartext in nvram. | |||||
CVE-2020-29001 | 1 Merkuryinnovations | 8 Geeni Gnc-cw025, Geeni Gnc-cw025 Firmware, Geeni Gnc-cw028 and 5 more | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered on Geeni GNC-CW028 Camera 2.7.2, Geeni GNC-CW025 Doorbell 2.9.5, Merkury MI-CW024 Doorbell 2.9.6, and Merkury MI-CW017 Camera 2.9.6 devices. A vulnerability exists in the RESTful Services API that allows a remote attacker to take full control of the camera with a high-privileged account. The vulnerability exists because a static username and password are compiled into the ppsapp RESTful application. | |||||
CVE-2020-29489 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Vsa Operating Environment, Emc Unity Xt Operating Environment | 2024-02-28 | 4.6 MEDIUM | 6.7 MEDIUM |
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user. | |||||
CVE-2021-20358 | 1 Ibm | 1 Cloud Pak For Automation | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Cloud Pak for Automation 20.0.3, 20.0.2-IF002 stores potentially sensitive information in clear text in API connection log files. This information could be obtained by a user with permissions to read log files. IBM X-Force ID: 194965. | |||||
CVE-2020-25677 | 2 Ceph, Redhat | 2 Ceph-ansible, Ceph Storage | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality. | |||||
CVE-2020-24577 | 1 Dlink | 2 Dsl-2888a, Dsl-2888a Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI. | |||||
CVE-2021-27176 | 1 Fiberhome | 2 Hg6245d, Hg6245d Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions. | |||||
CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2024-02-28 | 2.7 LOW | 4.5 MEDIUM |
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
CVE-2020-26228 | 1 Typo3 | 1 Typo3 | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described. | |||||
CVE-2020-26551 | 1 Aviatrix | 1 Controller | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file. | |||||
CVE-2020-35658 | 1 Titanhq | 1 Spamtitan | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted. | |||||
CVE-2020-35455 | 1 Taidii | 1 Diibear | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to obtain user credentials from Shared Preferences and the SQLite database because of insecure data storage. | |||||
CVE-2019-4687 | 1 Ibm | 1 Security Guardium Data Encrpytion | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 171823. | |||||
CVE-2020-29502 | 1 Dell | 2 Emc Powerstore, Emc Powerstore Firmware | 2024-02-28 | 4.6 MEDIUM | 6.7 MEDIUM |
Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
CVE-2020-26288 | 1 Parseplatform | 1 Parse-server | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage. | |||||
CVE-2021-22300 | 1 Huawei | 2 Ecns280 Td, Ecns280 Td Firmware | 2024-02-28 | 1.9 LOW | 4.1 MEDIUM |
There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods. | |||||
CVE-2020-29550 | 1 Urve | 1 Urve | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration files as well as in the database. The following files contain the password in cleartext: Profiles/urve/files/sql_db.backup, Server/data/pg_wal/000000010000000A000000DD, Server/data/base/16384/18617, and Server/data/base/17202/8708746. This causes the password to be displayed as cleartext in the HTML code as roomsreservationimport_password in /urve/roomsreservationimport/roomsreservationimport/update-HTML5. | |||||
CVE-2020-12859 | 1 Health | 1 Covidsafe | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations. |