Total
1196 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42955 | 1 Claris | 1 Filemaker Server | 2024-12-10 | 4.9 Medium |
| Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket. | ||||
| CVE-2024-53832 | 2024-12-10 | 4.6 Medium | ||
| A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files. | ||||
| CVE-2024-36460 | 1 Zabbix | 1 Zabbix | 2024-12-10 | 8.1 High |
| The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text. | ||||
| CVE-2024-9677 | 1 Zyxel | 12 Uos, Usg Flex 100h, Usg Flex 100h Firmware and 9 more | 2024-12-05 | 5.5 Medium |
| The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. | ||||
| CVE-2024-51545 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2024-12-05 | 10 Critical |
| Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list functions. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | ||||
| CVE-2020-18406 | 1 Cmseasy | 1 Cmseasy | 2024-12-04 | 7.5 High |
| An issue was discovered in cmseasy v7.0.0 that allows user credentials to be sent in clear text due to no encryption of form data. | ||||
| CVE-2024-11856 | 2024-12-02 | 3.7 Low | ||
| A security vulnerability in HPE IceWall products could be exploited remotely to cause Unauthorized Data Modification. | ||||
| CVE-2018-0335 | 1 Cisco | 1 Prime Collaboration | 2024-11-29 | N/A |
| A vulnerability in the web portal authentication process of Cisco Prime Collaboration Provisioning could allow an unauthenticated, local attacker to view sensitive data. The vulnerability is due to improper logging of authentication data. An attacker could exploit this vulnerability by monitoring a specific World-Readable file for this authentication data (Cleartext Passwords). An exploit could allow the attacker to gain authentication information for other users. Cisco Bug IDs: CSCvd86602. | ||||
| CVE-2019-17497 | 1 Pdf-xchange | 1 Pdf-xchange Editor | 2024-11-27 | 6.5 Medium |
| Tracker PDF-XChange Editor before 8.0.330.0 has an NTLM SSO hash theft vulnerability using crafted FDF or XFDF files (a related issue to CVE-2018-4993). For example, an NTLM hash is sent for a link to \\192.168.0.2\C$\file.pdf without user interaction. | ||||
| CVE-2023-28857 | 1 Apereo | 1 Central Authentication Service | 2024-11-27 | 4 Medium |
| Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-49280 | 1 Xwiki | 1 Change Request | 2024-11-27 | 7.7 High |
| XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default. | ||||
| CVE-2022-45611 | 1 Fresenius-kabi | 2 Pharmahelp, Pharmahelp Firmware | 2024-11-27 | 9.8 Critical |
| An issue was discovered in Fresenius Kabi PharmaHelp 5.1.759.0 allows attackers to gain escalated privileges via via capture of user login information. | ||||
| CVE-2023-36476 | 1 Nixos | 1 Calamares-nixos-extensions | 2024-11-27 | 7.9 High |
| calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted `/boot`, on either non-UEFI systems or with a LUKS partition different from `/` have their LUKS key file in `/boot` as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves. | ||||
| CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-11-26 | 6.5 Medium |
| Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | ||||
| CVE-2021-1126 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 5.5 Medium |
| A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server. | ||||
| CVE-2024-6749 | 2024-11-26 | 6.3 Medium | ||
| Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2024-39290 | 2024-11-22 | N/A | ||
| Insufficiently protected credentials issue exists in AIPHONE IX SYSTEM and IXG SYSTEM. A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book. | ||||
| CVE-2024-47142 | 2024-11-22 | N/A | ||
| AIPHONE IXG SYSTEM IXG-2C7 firmware Ver.2.03 and earlier and IXG-2C7-L firmware Ver.2.03 and earlier contain an issue with insufficiently protected credentials, which may allow a network-adjacent authenticated attacker to perform unintended operations. | ||||
| CVE-2018-0474 | 1 Cisco | 1 Unified Communications Manager | 2024-11-21 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view digest credentials in clear text. The vulnerability is due to the incorrect inclusion of saved passwords in configuration pages. An attacker could exploit this vulnerability by logging in to the Cisco Unified Communications Manager web-based management interface and viewing the source code for the configuration page. A successful exploit could allow the attacker to recover passwords and expose those accounts to further attack. | ||||
| CVE-2018-15456 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | N/A |
| A vulnerability in the Admin Portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to view saved passwords in plain text. The vulnerability is due to the incorrect inclusion of saved passwords when loading configuration pages in the Admin Portal. An attacker with read or write access to the Admin Portal could exploit this vulnerability by browsing to a page that contains sensitive data. An exploit could allow the attacker to recover passwords for unauthorized use and expose those accounts to further attack. | ||||