Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33742 | 1 Teleadapt | 2 Roomcast Ta-2400, Roomcast Ta-2400 Firmware | 2023-08-03 | N/A | 7.5 HIGH |
| TeleAdapt RoomCast TA-2400 1.0 through 3.1 suffers from Cleartext Storage of Sensitive Information: RSA private key in Update.exe. | |||||
| CVE-2021-40454 | 1 Microsoft | 11 365 Apps, Office, Windows 10 and 8 more | 2023-08-01 | 2.1 LOW | 5.5 MEDIUM |
| Rich Text Edit Control Information Disclosure Vulnerability | |||||
| CVE-2023-32483 | 1 Dell | 1 Wyse Management Suite | 2023-07-26 | N/A | 4.4 MEDIUM |
| Wyse Management Suite versions prior to 4.0 contain a sensitive information disclosure vulnerability. An authenticated malicious user having local access to the system running the application could exploit this vulnerability to read sensitive information written to log files. | |||||
| CVE-2023-37468 | 1 Thm | 1 Feedbacksystem | 2023-07-25 | N/A | 5.5 MEDIUM |
| Feedbacksystem is a personalized feedback system for students using artificial intelligence. Passwords of users using LDAP login are stored in clear text in the database. The LDAP users password is passed unencrypted in the LoginController.scala and stored in the database when logging in for the first time. Users using only local login or the cas login are not affected. This issue has been patched in version 1.19.2. | |||||
| CVE-2022-2739 | 2 Podman Project, Redhat | 3 Podman, Enterprise Linux Server, Enterprise Linux Workstation | 2023-07-21 | N/A | 5.3 MEDIUM |
| The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables. | |||||
| CVE-2023-31821 | 1 Albis | 1 Albis | 2023-07-21 | N/A | 7.5 HIGH |
| An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function. | |||||
| CVE-2022-27549 | 1 Hcltechsw | 1 Hcl Launch | 2023-07-18 | 2.1 LOW | 5.5 MEDIUM |
| HCL Launch may store certain data for recurring activities in a plain text format. | |||||
| CVE-2023-35699 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2023-07-18 | N/A | 4.6 MEDIUM |
| Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card. | |||||
| CVE-2022-26390 | 1 Baxter | 8 Baxter Spectrum Iq 35700bax3, Baxter Spectrum Iq 35700bax3 Firmware, Sigma Spectrum 35700bax and 5 more | 2023-07-11 | N/A | 4.2 MEDIUM |
| The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information. | |||||
| CVE-2022-46155 | 1 Airtable | 1 Airtable | 2023-07-07 | N/A | 6.4 MEDIUM |
| Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code. | |||||
| CVE-2022-25164 | 1 Mitsubishielectric | 2 Gx Works3, Mx Opc Ua Module Configurator-r | 2023-06-29 | N/A | 7.5 HIGH |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module. | |||||
| CVE-2022-33159 | 1 Ibm | 1 Security Directory Suite Va | 2023-06-21 | N/A | 6.5 MEDIUM |
| IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 228567. | |||||
| CVE-2023-32448 | 1 Dell | 1 Powerpath | 2023-06-06 | N/A | 5.5 MEDIUM |
| PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains License Key Stored in Cleartext vulnerability. A local user with access to the installation directory can retrieve the license key of the product and use it to install and license PowerPath on different systems. | |||||
| CVE-2022-29826 | 1 Mitsubishielectric | 1 Gx Works3 | 2023-05-31 | N/A | 7.5 HIGH |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.087R and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.042U allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | |||||
| CVE-2022-29832 | 1 Mitsubishielectric | 1 Gx Works3 | 2023-05-31 | N/A | 6.5 MEDIUM |
| Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could obtain information about the project file for MELSEC safety CPU modules or project file for MELSEC Q/FX/L series with security setting. | |||||
| CVE-2023-22878 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-05-26 | N/A | 5.5 MEDIUM |
| IBM InfoSphere Information Server 11.7 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 244373. | |||||
| CVE-2023-31408 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2023-05-25 | N/A | 7.5 HIGH |
| Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attacks. | |||||
| CVE-2023-30853 | 1 Gradle | 1 Build Action | 2023-05-10 | N/A | 6.5 MEDIUM |
| Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configured for the repository. Secrets configured for GitHub Actions are normally passed to the Gradle Build Tool via environment variables. Due to the way that the Gradle Build Tool records these environment variables, they may be persisted into an entry in the GitHub Actions cache. This data stored in the GitHub Actions cache can be read by a GitHub Actions workflow running in an untrusted context, such as that running for a Pull Request submitted by a developer via a repository fork. This vulnerability was discovered internally through code review, and we have not seen any evidence of it being exploited in the wild. However, in addition to upgrading the Gradle Build Action, affected users should delete any potentially vulnerable cache entries and may choose to rotate any potentially affected secrets. Gradle Build Action v2.4.2 and newer no longer saves this sensitive data for later use, preventing ongoing leakage of secrets via the GitHub Actions Cache. While upgrading to the latest version of the Gradle Build Action will prevent leakage of secrets going forward, additional actions may be required due to current or previous GitHub Actions Cache entries containing this information. Current cache entries will remain vulnerable until they are forcibly deleted or they expire naturally after 7 days of not being used. Potentially vulnerable entries can be easily identified in the GitHub UI by searching for a cache entry with key matching `configuration-cache-*`. The maintainers recommend that users of the Gradle Build Action inspect their list of cache entries and manually delete any that match this pattern. While maintainers have not seen any evidence of this vulnerability being exploited, they recommend cycling any repository secrets if you cannot be certain that these have not been compromised. Compromise could occur if a user runs a GitHub Actions workflow for a pull request attempting to exploit this data. Warning signs to look for in a pull request include: - Making changes to GitHub Actions workflow files in a way that may attempt to read/extract data from the Gradle User Home or `<project-root>/.gradle` directories. - Making changes to Gradle build files or other executable files that may be invoked by a GitHub Actions workflow, in a way that may attempt to read/extract information from these locations. Some workarounds to limit the impact of this vulnerability are available: - If the Gradle project does not opt-in to using the configuration cache, then it is not vulnerable. - If the Gradle project does opt-in to using the configuration-cache by default, then the `--no-configuration-cache` command-line argument can be used to disable this feature in a GitHub Actions workflow. In any case, we recommend that users carefully inspect any pull request before approving the execution of GitHub Actions workflows. It may be prudent to require approval for all PRs from external contributors. | |||||
| CVE-2023-0005 | 1 Paloaltonetworks | 1 Pan-os | 2023-04-21 | N/A | 4.9 MEDIUM |
| A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys. | |||||
| CVE-2023-25263 | 1 Stimulsoft | 1 Designer | 2023-04-03 | N/A | 5.5 MEDIUM |
| In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems. | |||||