Total
725 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-1265 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 6.5 Medium |
| A vulnerability in the configuration archive functionality of Cisco DNA Center could allow any privilege-level authenticated, remote attacker to obtain the full unmasked running configuration of managed devices. The vulnerability is due to the configuration archives files being stored in clear text, which can be retrieved by various API calls. An attacker could exploit this vulnerability by authenticating to the device and executing a series of API calls. A successful exploit could allow the attacker to retrieve the full unmasked running configurations of managed devices. | ||||
| CVE-2025-2120 | 1 Thinkware | 2 F800 Pro, F800 Pro Firmware | 2025-07-22 | 2.1 Low |
| A vulnerability was found in Thinkware Car Dashcam F800 Pro up to 20250226. It has been rated as problematic. This issue affects some unknown processing of the file /tmp/hostapd.conf of the component Configuration File Handler. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-44614 | 1 Tinxy | 2 Wifi Lock Controller V1 Rf, Wifi Lock Controller V1 Rf Firmware | 2025-07-22 | 7.5 High |
| Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext. | ||||
| CVE-2025-7397 | 2025-07-22 | N/A | ||
| A vulnerability in the ascgshell, of Brocade ASCG before 3.3.0 stores any command executed in the Command Line Interface (CLI) in plain text within the command history. A local authenticated user that can access sensitive information like passwords within the CLI history leading to unauthorized access and potential data breaches. | ||||
| CVE-2025-41458 | 2025-07-22 | 5.5 Medium | ||
| Unencrypted storage in the database in Two App Studio Journey v5.5.9 for iOS allows local attackers to extract sensitive data via direct access to the app’s filesystem. | ||||
| CVE-2025-53670 | 1 Jenkins | 1 Nouvola Divecloud | 2025-07-18 | 6.5 Medium |
| Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53755 | 2025-07-16 | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to storage of credentials and PINS without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the unencrypted data stored in the firmware of targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the network of the targeted device. | ||||
| CVE-2025-53758 | 2025-07-16 | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to use of default admin credentials at its web management interface. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the hardcoded default credentials stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device. | ||||
| CVE-2025-7215 | 1 Fnkvision | 1 Fnk-gu2 | 2025-07-13 | 1.6 Low |
| A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. Affected by this issue is some unknown functionality of the file /rom/wpa_supplicant.conf. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-4235 | 1 Netgear | 1 Dg834gv5 | 2025-07-13 | 2.7 Low |
| A vulnerability classified as problematic was found in Netgear DG834Gv5 1.6.01.34. This vulnerability affects unknown code of the component Web Management Interface. The manipulation leads to cleartext storage of sensitive information. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-262126 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-47056 | 1 Mautic | 1 Mautic | 2025-07-12 | 5.1 Medium |
| SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations. Sensitive Information Disclosure via .env File Exposure: The .env file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL. MitigationUpdate Mautic to the latest Mautic version. By default, Mautic does not use .env files for production data. For Apache users: Ensure your web server is configured to respect .htaccess files. For Nginx users: As Nginx does not inherently support .htaccess files, you must manually add a configuration block to your Nginx server configuration to deny access to .env files. Add the following to your Nginx configuration for the Mautic site: location ~ /\.env { deny all; } After modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect. | ||||
| CVE-2025-0418 | 1 Valmet | 1 Dna | 2025-07-12 | N/A |
| Valmet DNA user passwords in plain text. This practice poses a security risk as attackers who gain access to local project data can read the passwords. | ||||
| CVE-2025-48463 | 1 Advantech | 6 Wise-4010lan, Wise-4010lan Firmware, Wise-4050lan and 3 more | 2025-07-09 | 3.1 Low |
| Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering. | ||||
| CVE-2025-4537 | 1 Ruoyi | 1 Ruoyi-vue | 2025-07-08 | 3.1 Low |
| A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unknown functionality of the file ruoyi-ui/jsencrypt.js and ruoyi-ui/login.vue of the component Password Handler. The manipulation leads to cleartext storage of sensitive information in a cookie. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-22031 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2025-07-08 | 7.8 High |
| Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability | ||||
| CVE-2025-53103 | 2025-07-03 | 5.8 Medium | ||
| JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are published or stored anywhere public, then there is the possibility that a rouge attacker can steal the token and perform elevated actions by impersonating the user or app. This issue as been patched in version 5.13.2. | ||||
| CVE-2025-27460 | 2025-07-03 | 7.6 High | ||
| The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives. | ||||
| CVE-2025-6748 | 2025-06-30 | 2.1 Low | ||
| A vulnerability classified as problematic has been found in Bharti Airtel Thanks App 4.105.4 on Android. Affected is an unknown function of the file /Android/data/com.myairtelapp/files/. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-28912 | 2025-06-30 | 5.7 Medium | ||
| The MIB3 unit stores the synchronized phone contact book in clear-text, allowing an attacker with either code execution privilege on the system or physical access to the system to obtain vehicle owner's contact data. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | ||||
| CVE-2024-40750 | 1 Linksys | 4 Mbe7000, Mbe7000 Firmware, Mx6200 and 1 more | 2025-06-30 | 5.3 Medium |
| Linksys Velop Pro 6E 1.0.8 MX6200_1.0.8.215731 and 7 1.0.10.215314 devices send cleartext Wi-Fi passwords over the public Internet during app-based installation. | ||||