Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12801 | 2 Libreoffice, Opensuse | 2 Libreoffice, Leap | 2023-12-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3. | |||||
| CVE-2023-50719 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 7.5 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-2809 | 1 Sage | 1 Sage 200 Spain | 2023-12-19 | N/A | 9.8 CRITICAL |
| Plaintext credential usage vulnerability in Sage 200 Spain 2023.38.001 version, the exploitation of which could allow a remote attacker to extract SQL database credentials from the DLL application. This vulnerability could be linked to known techniques to obtain remote execution of MS SQL commands and escalate privileges on Windows systems because the credentials are stored in plaintext. | |||||
| CVE-2023-50776 | 1 Jenkins | 1 Paaslane Estimate | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50772 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-50773 | 1 Jenkins | 1 Dingding Json Pusher | 2023-12-18 | N/A | 4.3 MEDIUM |
| Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2022-46141 | 1 Siemens | 1 Simatic Step 7 | 2023-12-15 | N/A | 5.5 MEDIUM |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application. | |||||
| CVE-2023-48707 | 1 Codeigniter | 1 Shield | 2023-11-30 | N/A | 6.5 MEDIUM |
| CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The `secretKey` value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that corresponding user. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-47312 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 6.5 MEDIUM |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries. | |||||
| CVE-2021-31855 | 1 Kde | 1 Messagelib | 2023-11-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) causes KMail to upload the decrypted content of the message to the remote server. With a crafted message, a user could be tricked into decrypting an encrypted message and then deleting an attachment attached to this message. If the attacker has access to the messages stored on the email server, then the attacker could read the decrypted content of the encrypted message. This occurs in ViewerPrivate::deleteAttachment in messageviewer/src/viewer/viewer_p.cpp. | |||||
| CVE-2023-4066 | 1 Redhat | 4 Enterprise Linux, Jboss A-mq, Jboss Middleware and 1 more | 2023-11-07 | N/A | 5.5 MEDIUM |
| A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker. | |||||
| CVE-2023-40715 | 1 Fortinet | 1 Fortitester | 2023-11-07 | N/A | 5.5 MEDIUM |
| A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device. | |||||
| CVE-2023-3395 | 1 Ovarro | 10 Tbox Lt2, Tbox Lt2 Firmware, Tbox Ms-cpu32 and 7 more | 2023-11-07 | N/A | 6.5 MEDIUM |
| ?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer. | |||||
| CVE-2023-36136 | 1 Phpjabbers | 1 Class Scheduling System | 2023-11-07 | N/A | 6.5 MEDIUM |
| PHPJabbers Class Scheduling System 1.0 lacks encryption on the password when editing a user account (update user page) allowing an attacker to capture all user names and passwords in clear text. | |||||
| CVE-2023-24964 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-11-07 | N/A | 5.5 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow a local user to obtain sensitive information from a log files. IBM X-Force ID: 246463. | |||||
| CVE-2023-23776 | 1 Fortinet | 1 Fortianalyzer | 2023-11-07 | N/A | 3.1 LOW |
| An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer | |||||
| CVE-2023-1897 | 1 Atlascopco | 2 Power Focus 6000, Power Focus 6000 Firmware | 2023-11-07 | N/A | 7.5 HIGH |
| Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could allow an attacker with access to the user’s computer to gain credential information of the controller. | |||||
| CVE-2022-45098 | 1 Dell | 1 Emc Powerscale Onefs | 2023-11-07 | N/A | 5.5 MEDIUM |
| Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure. | |||||
| CVE-2022-41740 | 3 Ibm, Microsoft, Redhat | 4 Robotic Process Automation, Robotic Process Automation For Cloud Pak, Windows and 1 more | 2023-11-07 | N/A | 4.6 MEDIUM |
| IBM Robotic Process Automation 20.12 through 21.0.6 could allow an attacker with physical access to the system to obtain highly sensitive information from system memory. IBM X-Force ID: 238053. | |||||
| CVE-2022-41734 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2023-11-07 | N/A | 7.5 HIGH |
| IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 237587. | |||||