Total
986 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-11272 | 2 Debian, Vmware | 2 Debian Linux, Spring Security | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | |||||
CVE-2019-12847 | 1 Jetbrains | 1 Hub | 2024-02-28 | 4.0 MEDIUM | 7.2 HIGH |
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period. | |||||
CVE-2019-5615 | 1 Rapid7 | 1 Insightvm | 2024-02-28 | 3.5 LOW | 6.5 MEDIUM |
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49. | |||||
CVE-2019-10347 | 1 Jenkins | 1 Mashup Portlets | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
CVE-2019-9872 | 1 Jetbrains | 1 Intellij Idea | 2024-02-28 | 4.3 MEDIUM | 8.1 HIGH |
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8. | |||||
CVE-2019-11271 | 1 Cloud Foundry | 1 Bosh | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest. | |||||
CVE-2019-11664 | 1 Microfocus | 1 Service Manager | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure. | |||||
CVE-2019-10379 | 1 Google | 1 Cloud Messaging Notification | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
CVE-2019-6452 | 1 Kyocera | 3 Command Center Rx, Taskalfa 4501i, Taskalfa 5052ci | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. | |||||
CVE-2019-0881 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
An elevation of privilege vulnerability exists when the Windows Kernel improperly handles key enumeration, aka 'Windows Kernel Elevation of Privilege Vulnerability'. | |||||
CVE-2019-13054 | 1 Logitech | 2 R500, R500 Firmware | 2024-02-28 | 3.3 LOW | 6.5 MEDIUM |
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z. | |||||
CVE-2019-11092 | 1 Intel | 2 Open Cloud Integrity Tehnology, Openattestation | 2024-02-28 | 3.6 LOW | 4.4 MEDIUM |
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | |||||
CVE-2019-10139 | 1 Ovirt | 1 Cockpit-ovirt | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted. | |||||
CVE-2019-1010308 | 1 Aquaverde | 1 Aquarius Cms | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
Aquaverde GmbH Aquarius CMS prior to version 4.1.1 is affected by: Incorrect Access Control. The impact is: The access to the log file is not restricted. It contains sensitive information like passwords etc. The component is: log file. The attack vector is: open the file. | |||||
CVE-2019-1003045 | 1 Trustsource | 1 Ecs Publisher | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration. | |||||
CVE-2019-10302 | 1 Jenkins | 1 Jira-ext | 2024-02-28 | 4.0 MEDIUM | 8.8 HIGH |
Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
CVE-2018-19466 | 1 Portainer | 1 Portainer | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls. | |||||
CVE-2018-17500 | 1 Envoy | 1 Passport | 2024-02-28 | 2.1 LOW | 7.8 HIGH |
Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of hardcoded OAuth Creds in plaintext. An attacker could exploit this vulnerability to obtain sensitive information. | |||||
CVE-2019-7271 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
Nortek Linear eMerge 50P/5000P devices have Default Credentials. | |||||
CVE-2019-5625 | 1 Eaton | 1 Halo Home | 2024-02-28 | 3.6 LOW | 7.1 HIGH |
The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app. |