Total
1012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | |||||
| CVE-2020-7233 | 1 Kmccontrols | 2 Bac-a1616bc, Bac-a1616bc Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| KMS Controls BAC-A1616BC BACnet devices have a cleartext password of snowman in the BACKDOOR_NAME variable in the BC_Logon.swf file. | |||||
| CVE-2019-17356 | 1 Infinitestudio | 1 Infinite Design | 2021-07-21 | 3.3 LOW | 6.5 MEDIUM |
| The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network. | |||||
| CVE-2020-29005 | 1 Mediawiki | 1 Mediawiki | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | |||||
| CVE-2019-12171 | 1 Dropbox | 1 Dropbox | 2021-07-21 | 4.3 MEDIUM | 7.8 HIGH |
| Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process. | |||||
| CVE-2019-19119 | 1 Paessler | 1 Prtg Network Monitor | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in PRTG 7.x through 19.4.53. Due to insufficient access control on local registry keys for the Core Server Service, a non-administrative user on the local machine is able to access administrative credentials. | |||||
| CVE-2017-13771 | 1 Lexmark | 1 Scan To Network | 2021-07-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configuration credentials in plaintext and transmits them in requests, which allows remote attackers to obtain sensitive information via requests to (1) cgi-bin/direct/printer/prtappauth/apps/snfDestServlet or (2) cgi-bin/direct/printer/prtappauth/apps/ImportExportServlet. | |||||
| CVE-2020-5404 | 1 Pivotal | 1 Reactor Netty | 2021-07-07 | 4.9 MEDIUM | 5.9 MEDIUM |
| The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects. | |||||
| CVE-2019-6452 | 1 Kyocera | 3 Command Center Rx, Taskalfa 4501i, Taskalfa 5052ci | 2021-06-28 | 4.0 MEDIUM | 8.8 HIGH |
| Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. | |||||
| CVE-2021-28857 | 1 Tp-link | 2 Tl-wpa4220, Tl-wpa4220 Firmware | 2021-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 username and password are sent via the cookie. | |||||
| CVE-2020-15381 | 1 Broadcom | 1 Sannav | 2021-06-15 | 5.0 MEDIUM | 7.5 HIGH |
| Brocade SANnav before version 2.1.1 contains an Improper Authentication vulnerability that allows cleartext transmission of authentication credentials of the jmx server. | |||||
| CVE-2014-4806 | 2 Ibm, Linux | 2 Security Appscan, Linux Kernel | 2021-06-11 | 2.1 LOW | 5.5 MEDIUM |
| The installation process in IBM Security AppScan Enterprise 8.x before 8.6.0.2 iFix 003, 8.7.x before 8.7.0.1 iFix 003, 8.8.x before 8.8.0.1 iFix 002, and 9.0.x before 9.0.0.1 iFix 001 on Linux places a cleartext password in a temporary file, which allows local users to obtain sensitive information by reading this file. | |||||
| CVE-2019-11272 | 2 Debian, Vmware | 2 Debian Linux, Spring Security | 2021-06-08 | 7.5 HIGH | 7.3 HIGH |
| Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | |||||
| CVE-2019-25030 | 1 Versa-networks | 3 Versa Analytics, Versa Director, Versa Operating System | 2021-06-07 | 2.1 LOW | 5.5 MEDIUM |
| In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible. | |||||
| CVE-2021-29253 | 1 Rsa | 1 Archer | 2021-06-04 | 2.1 LOW | 5.5 MEDIUM |
| The Tableau integration in RSA Archer 6.4 P1 (6.4.0.1) through 6.9 P2 (6.9.0.2) is affected by an insecure credential storage vulnerability. An malicious attacker with access to the Tableau workbook file may obtain access to credential information to use it in further attacks. | |||||
| CVE-2020-27839 | 1 Redhat | 1 Ceph | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | |||||
| CVE-2021-20389 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2021-05-25 | 2.1 LOW | 7.8 HIGH |
| IBM Security Guardium 11.2 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 195770. | |||||
| CVE-2021-20997 | 1 Wago | 10 0852-0303, 0852-0303 Firmware, 0852-1305 and 7 more | 2021-05-20 | 5.0 MEDIUM | 7.5 HIGH |
| In multiple managed switches by WAGO in different versions it is possible to read out the password hashes of all Web-based Management users. | |||||
| CVE-2019-11820 | 1 Synology | 1 Calendar | 2021-05-12 | 2.1 LOW | 5.5 MEDIUM |
| Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. | |||||
| CVE-2020-25175 | 1 Gehealthcare | 224 1.5t Brivo Mr355, 1.5t Brivo Mr355 Firmware, 3.0t Signa Hd 16 and 221 more | 2021-04-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| GE Healthcare Imaging and Ultrasound Products may allow specific credentials to be exposed during transport over the network. | |||||