Total
572 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-16062 | 1 Netsas | 1 Enigma Network Management Solution | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. It is possible for an attacker to expose unencrypted sensitive data. | |||||
CVE-2020-10532 | 1 Watchguard | 1 Ad Helper Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI. | |||||
CVE-2020-9462 | 1 Homey | 4 Homey, Homey Firmware, Homey Pro and 1 more | 2024-02-28 | 3.3 LOW | 4.3 MEDIUM |
An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks. | |||||
CVE-2020-5723 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. | |||||
CVE-2020-10273 | 4 Aliasrobotics, Enabled-robotics, Mobile-industrial-robotics and 1 more | 20 Mir100, Mir1000, Mir1000 Firmware and 17 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data. | |||||
CVE-2020-15105 | 1 Django Two-factor Authentication Project | 1 Django Two-factor Authentication | 2024-02-28 | 3.6 LOW | 5.4 MEDIUM |
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading. | |||||
CVE-2020-7516 | 1 Schneider-electric | 1 Easergy Builder | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker access to login credentials. | |||||
CVE-2020-2274 | 1 Jenkins | 1 Elastest | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
CVE-2020-15784 | 1 Siemens | 1 Spectrum Power 4 | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP8). Insecure storage of sensitive information in the configuration files could allow the retrieval of user names. | |||||
CVE-2020-17495 | 1 Django-celery-results Project | 1 Django-celery-results | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. | |||||
CVE-2020-9045 | 2 Johnsoncontrols, Tyco | 2 C-cure 9000 Firmware, Victor Video Management System | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation. | |||||
CVE-2020-12032 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI. | |||||
CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | |||||
CVE-2020-10727 | 2 Apache, Netapp | 2 Activemq Artemis, Oncommand Workflow Automation | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file. | |||||
CVE-2020-10267 | 1 Universal-robots | 4 Ur10, Ur3, Ur5 and 1 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property. | |||||
CVE-2019-18254 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2024-02-28 | 2.1 LOW | 4.6 MEDIUM |
BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with. | |||||
CVE-2019-4676 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512. | |||||
CVE-2019-10453 | 1 Jenkins | 1 Delphix | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
CVE-2019-18615 | 1 Arista | 1 Cloudvision Portal | 2024-02-28 | 3.5 LOW | 4.9 MEDIUM |
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application. | |||||
CVE-2019-19314 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
GitLab EE 8.4 through 12.5, 12.4.3, and 12.3.6 stored several tokens in plaintext. |