Total
170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3625 | 1 Redhat | 1 Mirror Registry | 2025-11-20 | 7.3 High |
| A flaw was found in Quay, where Quay's database is stored in plain text in mirror-registry on Jinja's config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay's Redis instance. | ||||
| CVE-2024-3624 | 1 Redhat | 1 Mirror Registry | 2025-11-20 | 7.3 High |
| A flaw was found in how Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay's database. | ||||
| CVE-2025-56527 | 1 Cinnamon | 1 Kotaemon | 2025-11-20 | 7.5 High |
| Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage. | ||||
| CVE-2024-3623 | 1 Redhat | 1 Mirror Registry | 2025-11-20 | 8.1 High |
| A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay's database. | ||||
| CVE-2024-3622 | 1 Redhat | 1 Mirror Registry | 2025-11-20 | 8.8 High |
| A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance. | ||||
| CVE-2025-13221 | 1 Intelbras | 1 Unniti | 2025-11-18 | 5.3 Medium |
| A weakness has been identified in Intelbras UnniTI 24.07.11. The affected element is an unknown function of the file /xml/sistema/usuarios.xml. Executing manipulation of the argument Usuario/Senha can lead to unprotected storage of credentials. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-13187 | 1 Intelbras | 1 Icip | 2025-11-18 | 5.3 Medium |
| A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such manipulation of the argument NomeUsuario/SenhaAcess leads to unprotected storage of credentials. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-34210 | 1 Vasion | 3 Print Application, Virtual Appliance Application, Virtual Appliance Host | 2025-11-17 | 5.5 Medium |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product "follows a shared responsibility model, where administrators are expected to configure persistent storage encryption." | ||||
| CVE-2025-9982 | 1 Opensolution | 1 Quick.cms | 2025-11-17 | 7.5 High |
| A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-11193 | 1 Lenovo | 2 Tablet, Yoga | 2025-11-10 | 5.5 Medium |
| A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information. | ||||
| CVE-2025-46366 | 1 Dell | 1 Cloudlink | 2025-11-07 | 6.7 Medium |
| Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user may exploit and gain parallel privilege escalation or access to the database to obtain confidential information. | ||||
| CVE-2025-53677 | 1 Jenkins | 1 Xooa | 2025-11-04 | 5.3 Medium |
| Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. | ||||
| CVE-2025-53675 | 1 Jenkins | 1 Warrior Framework | 2025-11-04 | 6.5 Medium |
| Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53674 | 1 Jenkins | 1 Sensedia Api Platform Tools | 2025-11-04 | 5.3 Medium |
| Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it. | ||||
| CVE-2025-53671 | 1 Jenkins | 1 Nouvola Divecloud | 2025-11-04 | 6.5 Medium |
| Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53669 | 1 Jenkins | 1 Vaddy | 2025-11-04 | 4.3 Medium |
| Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53665 | 1 Jenkins | 1 Apica Loadtest | 2025-11-04 | 4.3 Medium |
| Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53664 | 1 Jenkins | 1 Apica Loadtest | 2025-11-04 | 6.5 Medium |
| Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53662 | 1 Jenkins | 1 Ifttt Build Notifier | 2025-11-04 | 6.5 Medium |
| Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53660 | 1 Jenkins | 1 Qmetry Test Management | 2025-11-04 | 4.3 Medium |
| Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||