Total
1186 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3644 | 2 Pulpproject, Redhat | 5 Pulp Ansible, Ansible Automation Platform, Satellite and 2 more | 2025-05-07 | 5.5 Medium |
| The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only. | ||||
| CVE-2022-41575 | 1 Gradle | 1 Enterprise | 2025-05-07 | 7.5 High |
| A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | ||||
| CVE-2024-20282 | 1 Cisco | 1 Nexus Dashboard | 2025-05-07 | 6 Medium |
| A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected device. | ||||
| CVE-2025-46820 | 2025-05-07 | 7.1 High | ||
| phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. | ||||
| CVE-2022-34311 | 1 Ibm | 1 Cics Tx | 2025-05-06 | 4.3 Medium |
| IBM CICS TX Standard and Advanced 11.1 could allow a user with physical access to the web browser to gain access to the user's session due to insufficiently protected credentials. IBM X-Force ID: 229446. | ||||
| CVE-2025-26628 | 2025-05-06 | 7.3 High | ||
| Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally. | ||||
| CVE-2022-30944 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | 5.5 Medium |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2022-30601 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | 9.8 Critical |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access. | ||||
| CVE-2021-33107 | 1 Intel | 446 Active Management Technology Software Development Kit, B150, B250 and 443 more | 2025-05-05 | 4.6 Medium |
| Insufficiently protected credentials in USB provisioning for Intel(R) AMT SDK before version 16.0.3, Intel(R) SCS before version 12.2 and Intel(R) MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 may allow an unauthenticated user to potentially enable information disclosure via physical access. | ||||
| CVE-2022-3781 | 1 Devolutions | 2 Devolutions Server, Remote Desktop Manager | 2025-05-05 | 6.5 Medium |
| Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote Desktop Manager 2022.2.26 and prior versions. Devolutions Server 2022.3.1 and prior versions. | ||||
| CVE-2024-45004 | 1 Linux | 1 Linux Kernel | 2025-05-04 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload in the blob field so that every subsequent read (export) will simply convert this field to hex and send it to userspace. With DCP-based trusted keys, we decrypt the blob encryption key (BEK) in the Kernel due hardware limitations and then decrypt the blob payload. BEK decryption is done in-place which means that the trusted key blob field is modified and it consequently holds the BEK in plain text. Every subsequent read of that key thus send the plain text BEK instead of the encrypted BEK to userspace. This issue only occurs when importing a trusted DCP-based key and then exporting it again. This should rarely happen as the common use cases are to either create a new trusted key and export it, or import a key blob and then just use it without exporting it again. Fix this by performing BEK decryption and encryption in a dedicated buffer. Further always wipe the plain text BEK buffer to prevent leaking the key via uninitialized memory. | ||||
| CVE-2024-29992 | 1 Microsoft | 1 Azure Identity Library For .net | 2025-05-03 | 5.5 Medium |
| Azure Identity Library for .NET Information Disclosure Vulnerability | ||||
| CVE-2022-37109 | 1 Camp Project | 1 Camp | 2025-05-01 | 9.8 Critical |
| patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie. | ||||
| CVE-2022-38121 | 1 Upspowercom | 1 Upsmon Pro | 2025-05-01 | 6.5 Medium |
| UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file. | ||||
| CVE-2024-40710 | 1 Veeam | 2 Backup \& Replication, Veeam Backup \& Replication | 2025-05-01 | 8.8 High |
| A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication. | ||||
| CVE-2022-45384 | 1 Jenkins | 1 Reverse Proxy Auth | 2025-04-30 | 6.5 Medium |
| Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | ||||
| CVE-2022-45392 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | 6.5 Medium |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2022-40751 | 1 Ibm | 1 Urbancode Deploy | 2025-04-29 | 4.9 Medium |
| IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with administrative privileges including "Manage Security" permissions may be able to recover a credential previously saved for performing authenticated LDAP searches. IBM X-Force ID: 236601. | ||||
| CVE-2025-2772 | 2025-04-29 | N/A | ||
| BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within /cgi-bin/tools_usermanage.asp. The issue results from transmitting a list of users and their credentials to be handled on the client side. An attacker can leverage this vulnerability to disclose transported credentials, leading to further compromise. Was ZDI-CAN-25895. | ||||
| CVE-2022-29833 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-04-25 | 6.8 Medium |
| Insufficiently Protected Credentials vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could access to MELSEC safety CPU modules illgally. | ||||