Total
986 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28167 | 1 Broadcom | 1 Sannav | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log | |||||
| CVE-2021-3681 | 1 Redhat | 2 Ansible Automation Platform, Ansible Galaxy | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. | |||||
| CVE-2022-22767 | 1 Bd | 32 Pyxis Anesthesia Station Es, Pyxis Anesthesia Station Es Firmware, Pyxis Ciisafe and 29 more | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information. | |||||
| CVE-2021-46440 | 1 Strapi | 1 Strapi | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | |||||
| CVE-2022-30587 | 1 Gradle | 1 Gradle Enterprise | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure. | |||||
| CVE-2022-29052 | 1 Jenkins | 1 Google Compute Engine | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-34808 | 1 Jenkins | 1 Cisco Spark | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-0859 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-02-28 | 4.4 MEDIUM | 6.7 MEDIUM |
| McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password. | |||||
| CVE-2022-28135 | 1 Jenkins | 1 Instant-messaging | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34809 | 1 Jenkins | 1 Rqm | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34806 | 1 Jenkins | 1 Jigomerge | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-1666 | 1 Secheron | 2 Sepcos Control And Protection Relay, Sepcos Control And Protection Relay Firmware | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool. | |||||
| CVE-2021-32978 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00. | |||||
| CVE-2021-23222 | 1 Postgresql | 1 Postgresql | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. | |||||
| CVE-2022-34803 | 1 Jenkins | 1 Opsgenie | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system. | |||||
| CVE-2022-24982 | 1 Jqueryform | 1 Jqueryform | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users. admin.php contains a hidden base64-encoded string with these credentials. | |||||
| CVE-2022-24867 | 1 Glpi-project | 1 Glpi | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue. | |||||
| CVE-2022-24610 | 1 Alecto | 2 Dvc-215ip, Dvc-215ip Firmware | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
| Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera. | |||||
| CVE-2021-45892 | 1 Zauner | 1 Arc | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is storage of Passwords in a Recoverable Format. | |||||
| CVE-2022-21184 | 1 Atvise | 1 Atvise | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||