Total
1267 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62794 | 1 Github-workflow-updater-extension | 1 Github-workflow-updater-extension | 2025-10-30 | 3.8 Low |
| GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" api. An attacker with read only access to your home directory could have read this token and used it to perform actions with that token. Update to 0.0.7. | ||||
| CVE-2025-12461 | 1 Grupo Castilla | 1 Epsilon Rh | 2025-10-30 | N/A |
| This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the configuration of the product by knowing which modules are installed. | ||||
| CVE-2024-42192 | 1 Hcltech | 2 Traveler, Traveler For Microsoft Outlook | 2025-10-29 | 5.5 Medium |
| HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications. | ||||
| CVE-2025-54808 | 1 Nanoporetech | 1 Minknow | 2025-10-28 | 7.8 High |
| Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 stores authentication tokens in a file located in the system's temporary directory (/tmp) on the host machine. This directory is typically world-readable, allowing any local user or application to access the token. If the token is leaked (e.g., via malware infection or other local exploit), and remote access is enabled, it can be used to establish unauthorized remote connections to the sequencer. Remote access must be enabled for remote exploitation to succeed. This may occur either because the user has enabled remote access for legitimate operational reasons or because malware with elevated privileges (e.g., sudo access) enables it without user consent. This vulnerability can be chained with remote access capabilities to generate a developer token from a remote device. Developer tokens can be created with arbitrary expiration dates, enabling persistent access to the sequencer and bypassing standard authentication mechanisms. | ||||
| CVE-2025-35054 | 1 Newforma | 2 Project Center, Project Center Server | 2025-10-22 | 5.3 Medium |
| Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources. | ||||
| CVE-2014-1812 | 1 Microsoft | 6 Windows 7, Windows 8, Windows 8.1 and 3 more | 2025-10-22 | 8.8 High |
| The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability." | ||||
| CVE-2017-9248 | 2 Progress, Telerik | 2 Sitefinity, Ui For Asp.net Ajax | 2025-10-22 | 9.8 Critical |
| Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. | ||||
| CVE-2025-54156 | 1 Santesoft | 1 Sante Pacs Server | 2025-10-17 | 7.4 High |
| The Sante PACS Server Web Portal sends credential information without encryption. | ||||
| CVE-2025-6227 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-14 | 2.2 Low |
| Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API. | ||||
| CVE-2024-34147 | 1 Jenkins | 2 Jenkins-telegram-bot, Telegram Bot | 2025-10-10 | 4.3 Medium |
| Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
| CVE-2025-6519 | 1 Copeland | 8 E3 Supervisory Controller Firmware, Site Supervisor Bx 860-1240, Site Supervisor Bxe 860-1245 and 5 more | 2025-10-10 | 9.8 Critical |
| E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user. | ||||
| CVE-2025-54882 | 1 Himmelblau-idm | 1 Himmelblau | 2025-10-09 | 7.1 High |
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and received credentials are stored as world readable. This is fixed in versions 0.9.22 and 1.2.0. To work around this issue, remove all read access to Himmelblau caches for all users except for owners. | ||||
| CVE-2025-37728 | 1 Elastic | 1 Kibana | 2025-10-08 | 5.4 Medium |
| Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which they have access. | ||||
| CVE-2025-61776 | 1 Dependencytrack | 1 Dependency-track | 2025-10-08 | 4.7 Medium |
| Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.13.5, Dependency-Track may send credentials meant for a private NuGet repository to `api.nuget.org` via the HTTP `Authorization` header, and may disclose names and versions of components marked as internal to `api.nuget.org`. This can happen if the Dependency-Track instance contains .NET components, a custom NuGet repository has been configured, the custom repository has been configured with authentication credentials, and the repository server does not provide `PackageBaseAddress` resource in its service index. The issue has been fixed in Dependency-Track 4.13.5. Some workarounds are avaialble. Disable custom NuGet repositories until the patch has been applied, invalidate the previously used credentials, and generate new credentials for usage after the patch has been applied. | ||||
| CVE-2025-27231 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 4.9 Medium |
| The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change. | ||||
| CVE-2024-46480 | 1 Venki | 1 Supravizio Bpm | 2025-10-03 | 8.4 High |
| An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system. | ||||
| CVE-2025-0619 | 1 M-files | 1 M-files Server | 2025-10-03 | 4.9 Medium |
| Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords | ||||
| CVE-2025-40838 | 1 Ericsson | 2 Indoor Connect 8855, Indoor Connect 8855 Firmware | 2025-10-02 | 7.5 High |
| Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information. | ||||
| CVE-2024-45744 | 1 Topquadrant | 1 Topbraid Edg | 2025-10-02 | 3 Low |
| TopQuadrant TopBraid EDG stores external credentials insecurely. An authenticated attacker with file system access can read edg-setup.properites and obtain the secret to decrypt external passwords stored in edg-vault.properties. An authenticated attacker could gain file system access using a separate vulnerability such as CVE-2024-45745. At least version 7.1.3 is affected. Version 7.3 adds HashiCorp Vault integration that does not store external passwords locally. Version 8.3.0 warns when using plain text secrets. | ||||
| CVE-2025-52545 | 1 Copeland | 8 E3 Supervisory Controller Firmware, Site Supervisor Bx 860-1240, Site Supervisor Bxe 860-1245 and 5 more | 2025-10-01 | 7.5 High |
| E3 Site Supervisor Control (firmware version < 2.31F01) RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services. | ||||