Total
572 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-46376 | 1 Zentao | 1 Biz | 2024-02-28 | N/A | 7.5 HIGH |
Zentao Biz version 8.7 and before is vulnerable to Information Disclosure. | |||||
CVE-2023-37468 | 1 Thm | 1 Feedbacksystem | 2024-02-28 | N/A | 5.5 MEDIUM |
Feedbacksystem is a personalized feedback system for students using artificial intelligence. Passwords of users using LDAP login are stored in clear text in the database. The LDAP users password is passed unencrypted in the LoginController.scala and stored in the database when logging in for the first time. Users using only local login or the cas login are not affected. This issue has been patched in version 1.19.2. | |||||
CVE-2023-30367 | 1 Mremoteng | 1 Mremoteng | 2024-02-28 | N/A | 7.5 HIGH |
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory. | |||||
CVE-2023-40715 | 1 Fortinet | 1 Fortitester | 2024-02-28 | N/A | 5.5 MEDIUM |
A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device. | |||||
CVE-2023-44153 | 4 Acronis, Apple, Linux and 1 more | 4 Cyber Protect, Macos, Linux Kernel and 1 more | 2024-02-28 | N/A | 7.5 HIGH |
Sensitive information disclosure due to cleartext storage of sensitive information in memory. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979. | |||||
CVE-2023-41964 | 1 F5 | 20 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 17 more | 2024-02-28 | N/A | 6.5 MEDIUM |
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
CVE-2023-36136 | 1 Phpjabbers | 1 Class Scheduling System | 2024-02-28 | N/A | 6.5 MEDIUM |
PHPJabbers Class Scheduling System 1.0 lacks encryption on the password when editing a user account (update user page) allowing an attacker to capture all user names and passwords in clear text. | |||||
CVE-2023-44159 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-02-28 | N/A | 7.5 HIGH |
Sensitive information disclosure due to cleartext storage of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979. | |||||
CVE-2023-4066 | 1 Redhat | 4 Enterprise Linux, Jboss A-mq, Jboss Middleware and 1 more | 2024-02-28 | N/A | 5.5 MEDIUM |
A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker. | |||||
CVE-2023-39210 | 1 Zoom | 1 Meeting Software Development Kit | 2024-02-28 | N/A | 5.5 MEDIUM |
Cleartext storage of sensitive information in Zoom Client SDK for Windows before 5.15.0 may allow an authenticated user to enable an information disclosure via local access. | |||||
CVE-2023-2358 | 1 Hitachivantara | 1 Pentaho Business Analytics | 2024-02-28 | N/A | 4.9 MEDIUM |
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. | |||||
CVE-2023-41335 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2024-02-28 | N/A | 3.7 LOW |
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
CVE-2023-33742 | 1 Teleadapt | 2 Roomcast Ta-2400, Roomcast Ta-2400 Firmware | 2024-02-28 | N/A | 7.5 HIGH |
TeleAdapt RoomCast TA-2400 1.0 through 3.1 suffers from Cleartext Storage of Sensitive Information: RSA private key in Update.exe. | |||||
CVE-2023-3950 | 1 Gitlab | 1 Gitlab | 2024-02-28 | N/A | 3.8 LOW |
An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it. | |||||
CVE-2023-20207 | 1 Duo | 1 Authentication Proxy | 2024-02-28 | N/A | 6.5 MEDIUM |
A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text. | |||||
CVE-2023-44037 | 1 Zpesystems | 1 Nodegrid Os | 2024-02-28 | N/A | 7.5 HIGH |
An issue in ZPE Systems, Inc Nodegrid OS v.5.8.10 thru v.5.8.13 and v.5.10.3 thru v.5.10.5 allows a remote attacker to obtain sensitive information via the TACACS+ server component. | |||||
CVE-2023-4400 | 1 Skyhighsecurity | 1 Secure Web Gateway | 2024-02-28 | N/A | 6.5 MEDIUM |
A password management vulnerability in Skyhigh Secure Web Gateway (SWG) in main releases 11.x prior to 11.2.14, 10.x prior to 10.2.25 and controlled release 12.x prior to 12.2.1, allows some authentication information stored in configuration files to be extracted through SWG REST API. This was possible due to SWG storing the password in plain text in some configuration files. | |||||
CVE-2023-31821 | 1 Albis | 1 Albis | 2024-02-28 | N/A | 7.5 HIGH |
An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function. | |||||
CVE-2023-39903 | 1 Fujitsu | 1 Software Infrastructure Manager | 2024-02-28 | N/A | 5.0 MEDIUM |
An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. That occurs when users perform any ISM Firmware Repository Address setup test (Test the Connection), or regularly authorize against an already configured remote firmware repository site, as set up in ISM Firmware Repository Address. A privileged attacker is therefore able to potentially gather the associated ismsnap maintenance data, in the same manner as a trusted party allowed to export ismsnap data from ISM. The preconditions for an ISM installation to be generally vulnerable are that the Download Firmware (Firmware Repository Server) function is enabled and configured, and that the character \ (backslash) is used in a user credential (i.e., user/ID or password) of the remote proxy host / firmware repository server. NOTE: this may overlap CVE-2023-39379. | |||||
CVE-2023-46653 | 1 Jenkins | 1 Lambdatest-automation | 2024-02-28 | N/A | 6.5 MEDIUM |
Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure. |