Filtered by CWE-522
Total 1192 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-2103 1 Secheron 2 Sepcos Control And Protection Relay, Sepcos Control And Protection Relay Firmware 2025-04-16 9.8 Critical
An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.
CVE-2022-1666 1 Secheron 2 Sepcos Control And Protection Relay, Sepcos Control And Protection Relay Firmware 2025-04-16 6.5 Medium
The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.
CVE-2024-28110 2 Cloudevents, Redhat 3 Sdk Go, Openshift, Openshift Serverless 2025-04-16 7.5 High
Go SDK for CloudEvents is the official CloudEvents SDK to integrate applications with CloudEvents. Prior to version 2.15.2, using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact. Version 2.15.2 patches this issue.
CVE-2025-27650 1 Printerlogic 2 Vasion Print, Virtual Appliance 2025-04-15 9.8 Critical
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Private Keys in Docker Overlay V-2023-013.
CVE-2025-27648 1 Printerlogic 2 Vasion Print, Virtual Appliance 2025-04-15 9.8 Critical
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.913 Application 20.0.2253 allows Cross Tenant Password Exposure V-2024-003.
CVE-2022-21184 1 Atvise 1 Atvise 2025-04-15 5.9 Medium
An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
CVE-2025-22372 2025-04-15 N/A
Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery. Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily. This issue affects BASEC: from 14 Dec 2021.
CVE-2022-22458 2 Ibm, Linux 2 Security Verify Governance, Linux Kernel 2025-04-15 6.3 Medium
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.
CVE-2022-4612 1 Clickstudios 1 Passwordstate 2025-04-15 4.3 Medium
A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as problematic. This vulnerability affects unknown code. The manipulation leads to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216274 is the identifier assigned to this vulnerability.
CVE-2022-4312 1 Arcinformatique 1 Pcvue 2025-04-14 5.5 Medium
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code. Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email account and SIM card.
CVE-2014-0189 2 Redhat, Virt-who Project 6 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 3 more 2025-04-12 N/A
virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
CVE-2014-0184 1 Redhat 2 Cloudforms 3.0 Management Engine, Cloudforms Managementengine 2025-04-12 N/A
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file.
CVE-2015-7546 2 Openstack, Oracle 3 Keystone, Keystonemiddleware, Solaris 2025-04-12 7.5 High
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
CVE-2015-7502 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2025-04-12 N/A
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files.
CVE-2014-0154 2 Ovirt, Redhat 2 Ovirt, Rhev Manager 2025-04-12 N/A
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-5955 1 Owncloud 1 Owncloud Client 2025-04-12 N/A
ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers.
CVE-2014-0153 2 Ovirt, Redhat 2 Ovirt, Rhev Manager 2025-04-12 N/A
The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.
CVE-2015-3962 1 Schneider-electric 1 Struxureware Building Expert Multi-purpose Management 2025-04-12 N/A
Schneider Electric StruxureWare Building Expert MPM before 2.15 does not use encryption for the client-server data stream, which allows remote attackers to discover credentials by sniffing the network.
CVE-2015-3646 2 Openstack, Oracle 2 Keystone, Solaris 2025-04-12 N/A
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.
CVE-2014-0085 1 Redhat 3 Jboss A-mq, Jboss Amq, Jboss Fuse 2025-04-12 N/A
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.