Total
708 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27706 | 1 Bitwarden | 1 Bitwarden | 2025-01-06 | 7.1 High |
| Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged processes. | ||||
| CVE-2023-1897 | 1 Atlascopco | 2 Power Focus 6000, Power Focus 6000 Firmware | 2025-01-06 | 9.4 Critical |
| Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could allow an attacker with access to the user’s computer to gain credential information of the controller. | ||||
| CVE-2023-27370 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2025-01-03 | 5.7 Medium |
| NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of device configuration. The issue results from the storage of configuration secrets in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19841. | ||||
| CVE-2024-55196 | 2025-01-02 | 7.5 High | ||
| Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers. | ||||
| CVE-2024-56362 | 1 Navidrome | 1 Navidrome | 2024-12-24 | 7.1 High |
| Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1. | ||||
| CVE-2024-9802 | 1 Linuxfoundation | 1 Zowe Api Mediation Layer | 2024-12-19 | 5.3 Medium |
| The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running. | ||||
| CVE-2024-9798 | 1 Linuxfoundation | 1 Zowe Api Mediation Layer | 2024-12-19 | 5.3 Medium |
| The health endpoint is public so everybody can see a list of all services. It is potentially valuable information for attackers. | ||||
| CVE-2024-51175 | 2024-12-18 | 7.5 High | ||
| An issue in H3C switch h3c-S1526 allows a remote attacker to obtain sensitive information via the S1526.cfg component. | ||||
| CVE-2022-33159 | 1 Ibm | 1 Security Directory Suite Va | 2024-12-12 | 5.3 Medium |
| IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 228567. | ||||
| CVE-2024-55582 | 2024-12-11 | 5.7 Medium | ||
| Oxide before 6 has unencrypted Control Plane datastores. | ||||
| CVE-2024-11159 | 2 Mozilla, Redhat | 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more | 2024-12-06 | 5.3 Medium |
| Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1. | ||||
| CVE-2023-27243 | 1 Makves | 1 Dcap | 2024-12-06 | 7.5 High |
| An access control issue in Makves DCAP v3.0.0.122 allows unauthenticated attackers to obtain cleartext credentials via a crafted web request to the product API. | ||||
| CVE-2024-54127 | 2024-12-05 | N/A | ||
| This vulnerability exists in the TP-Link Archer C50 due to presence of terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by accessing the UART shell on the vulnerable device. Successful exploitation of this vulnerability could allow the attacker to obtain Wi-Fi credentials of the targeted system. | ||||
| CVE-2024-53979 | 1 Ibm | 1 Zhmc | 2024-12-04 | 8.3 High |
| ibm.ibm_zhmc is an Ansible collection for the IBM Z HMC. The Ansible collection "ibm.ibm_zhmc" writes password-like properties in clear text into its log file and into the output returned by some of its Ansible module in the following cases: 1. The 'boot_ftp_password' and 'ssc_master_pw' properties are passed as input to the zhmc_partition Ansible module. 2. The 'ssc_master_pw' and 'zaware_master_pw' properties are passed as input to the zhmc_lpar Ansible module. 3. The 'password' property is passed as input to the zhmc_user Ansible module (just in log file, not in module output). 4. The 'bind_password' property is passed as input to the zhmc_ldap_server_definition Ansible module. These properties appear in the module output only when they were specified in the module input and when creating or updating the corresponding resources. They do not appear in the output when retrieving facts for the corresponding resources. These properties appear in the log file only when the "log_file" module input parameter is used. By default, no log file is created. This issue has been fixed in ibm.ibm_zhmc version 1.9.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2018-0089 | 1 Cisco | 1 Policy Suite | 2024-12-02 | N/A |
| A vulnerability in the Policy and Charging Rules Function (PCRF) of the Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would also have to have access to the internal VLAN where CPS is deployed. The vulnerability is due to incorrect permissions of certain system files and not sufficiently protecting sensitive data that is at rest. An attacker could exploit the vulnerability by using certain tools available on the internal network interface to request and view system files. An exploit could allow the attacker to find out sensitive information about the application. Cisco Bug IDs: CSCvf77666. | ||||
| CVE-2024-53865 | 2024-12-02 | 8.3 High | ||
| zhmcclient is a pure Python client library for the IBM Z HMC Web Services API. In affected versions the Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: 1. The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs. 2. The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs. 3. The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs. 4. The 'password' property when creating or updating an HMC user, in the zhmcclient API log. 5. The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs. This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above. This issue has been fixed in zhmcclient version 1.18.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-48305 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-27 | 4.2 Medium |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. As a workaround, change config setting `loglevel` to `1` or higher (should always be higher than 1 in production environments). | ||||
| CVE-2024-29146 | 2024-11-26 | 5.9 Medium | ||
| User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | ||||
| CVE-2024-36589 | 2024-11-25 | 4.3 Medium | ||
| An issue in Annonshop.app DecentralizeJustice/anonymousLocker commit 2b2b4 to ba9fd and DecentralizeJustice/anonBackend commit 57837 to cd815 was discovered to store credentials in plaintext. | ||||
| CVE-2022-46141 | 1 Siemens | 1 Simatic Step 7 | 2024-11-25 | 4.2 Medium |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application. | ||||