Total
1012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3780 | 1 Cloudfoundry | 1 Container Runtime | 2020-10-19 | 6.5 MEDIUM | 8.8 HIGH |
| Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account. | |||||
| CVE-2019-3782 | 1 Cloudfoundry | 1 Credhub Cli | 2020-10-19 | 2.1 LOW | 7.8 HIGH |
| Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user. | |||||
| CVE-2018-20243 | 1 Apache | 1 Fineract | 2020-10-16 | 5.0 MEDIUM | 7.5 HIGH |
| The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629. | |||||
| CVE-2019-5615 | 1 Rapid7 | 1 Insightvm | 2020-10-16 | 3.5 LOW | 6.5 MEDIUM |
| Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49. | |||||
| CVE-2019-6525 | 1 Aveva | 1 Wonderware System Platform | 2020-10-16 | 4.0 MEDIUM | 8.8 HIGH |
| AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account. | |||||
| CVE-2019-5627 | 1 Bluecats | 1 Bc Reveal | 2020-10-16 | 2.1 LOW | 7.8 HIGH |
| The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app. | |||||
| CVE-2019-5626 | 1 Bluecats | 1 Bluecats Reveal | 2020-10-16 | 2.1 LOW | 7.8 HIGH |
| The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app. | |||||
| CVE-2019-5625 | 1 Eaton | 1 Halo Home | 2020-10-16 | 3.6 LOW | 7.1 HIGH |
| The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app. | |||||
| CVE-2019-3753 | 1 Dell | 12 Emc Powerconnect 7000, Emc Powerconnect 7000 Firmware, Emc Powerconnect 8024 and 9 more | 2020-10-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K running firmware versions prior to 5.1.15.2 contain a plain-text password storage vulnerability. TACACS\Radius credentials are stored in plain text in the system settings menu. An authenticated malicious user with access to the system settings menu may obtain the exposed password to use it in further attacks. | |||||
| CVE-2019-9533 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2020-10-16 | 10.0 HIGH | 9.8 CRITICAL |
| The root password of the Cobham EXPLORER 710 is the same for all versions of firmware up to and including v1.08. This could allow an attacker to reverse-engineer the password from available versions to gain authenticated access to the device. | |||||
| CVE-2019-11271 | 1 Cloud Foundry | 1 Bosh | 2020-10-16 | 2.1 LOW | 7.8 HIGH |
| Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest. | |||||
| CVE-2020-26149 | 1 Linuxfoundation | 3 Nats.deno, Nats.js, Nats.ws | 2020-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server. | |||||
| CVE-2019-16211 | 1 Broadcom | 1 Brocade Sannav | 2020-10-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| Brocade SANnav versions before v2.1.0, contain a Plaintext Password Storage vulnerability. | |||||
| CVE-2019-6549 | 1 Kunbus | 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware | 2020-10-05 | 4.0 MEDIUM | 7.2 HIGH |
| An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) through FTP. | |||||
| CVE-2019-10960 | 1 Zebra | 16 220xi4, 220xi4 Firmware, Zt220 and 13 more | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel. | |||||
| CVE-2019-10981 | 1 Schneider-electric | 2 Citectscada, Scada Expert Vijeo Citect | 2020-10-02 | 2.1 LOW | 7.8 HIGH |
| In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials. | |||||
| CVE-2020-7945 | 1 Puppet | 1 Continuous Delivery | 2020-09-30 | 2.1 LOW | 5.5 MEDIUM |
| Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1. | |||||
| CVE-2019-1010241 | 1 Jenkins | 1 Credentials Binding | 2020-09-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job. | |||||
| CVE-2018-17871 | 1 Verint | 1 Verba Collaboration Compliance And Quality Management Platform | 2020-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Incorrect Access Control. | |||||
| CVE-2019-0032 | 1 Juniper | 2 Service Insight, Service Now | 2020-09-29 | 2.1 LOW | 7.8 HIGH |
| A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper Networks Service Insight versions from 15.1R1, prior to 18.1R1. Service Now versions from 15.1R1, prior to 18.1R1. | |||||