Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22484 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect, Linux Kernel and 1 more | 2022-05-25 | 2.1 LOW | 5.5 MEDIUM |
| IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history. By accessing browser history, an attacker could exploit this vulnerability to obtain other user accounts' passwords. IBM X-Force ID: 226322. | |||||
| CVE-2022-28214 | 1 Sap | 2 Businessobjects, Businessobjects Business Intelligence | 2022-05-19 | 4.6 MEDIUM | 7.8 HIGH |
| During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability. | |||||
| CVE-2022-29868 | 1 1password | 1 1password | 2022-05-18 | 2.1 LOW | 5.5 MEDIUM |
| 1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password. | |||||
| CVE-2022-28162 | 1 Broadcom | 1 Sannav | 2022-05-17 | 2.1 LOW | 3.3 LOW |
| Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text. | |||||
| CVE-2022-26148 | 2 Grafana, Redhat | 3 Grafana, Ceph Storage, Storage | 2022-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. | |||||
| CVE-2019-15947 | 1 Bitcoin | 1 Bitcoin Core | 2022-05-03 | 5.0 MEDIUM | 7.5 HIGH |
| In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command. | |||||
| CVE-2021-39078 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2022-04-27 | 2.1 LOW | 4.4 MEDIUM |
| IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215589. | |||||
| CVE-2022-0835 | 1 Aveva | 1 System Platform | 2022-04-18 | 1.9 LOW | 5.5 MEDIUM |
| AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user. | |||||
| CVE-2016-0876 | 1 Moxa | 2 Edr-g903, Edr-g903 Firmware | 2022-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attackers to discover cleartext passwords by reading a configuration file. | |||||
| CVE-2018-1882 | 5 Apple, Ibm, Linux and 2 more | 7 Macos, Aix, Spectrum Protect Backup-archive Client and 4 more | 2022-04-11 | 1.9 LOW | 4.7 MEDIUM |
| In a certain atypical IBM Spectrum Protect 7.1 and 8.1 configurations, the node password could be displayed in plain text in the IBM Spectrum Protect client trace file. IBM X-Force ID: 151968. | |||||
| CVE-2020-11694 | 2 Jetbrains, Microsoft | 2 Pycharm, Windows | 2022-04-06 | 5.0 MEDIUM | 7.5 HIGH |
| In JetBrains PyCharm 2019.2.5 and 2019.3 on Windows, Apple Notarization Service credentials were included. This is fixed in 2019.2.6 and 2019.3.3. | |||||
| CVE-2021-45491 | 1 3cx | 1 3cx | 2022-03-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| 3CX System through 2022-03-17 stores cleartext passwords in a database. | |||||
| CVE-2021-41090 | 1 Grafana | 1 Agent | 2022-03-31 | 4.3 MEDIUM | 7.5 HIGH |
| Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API. | |||||
| CVE-2022-23234 | 1 Netapp | 1 Snapcenter | 2022-03-28 | 2.1 LOW | 5.5 MEDIUM |
| SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials. | |||||
| CVE-2022-26778 | 1 Veritas | 1 System Recovery | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration. This could allow a Windows user (who has sufficient privileges) to access a network file system that they were not authorized to access. | |||||
| CVE-2021-43590 | 1 Dell | 1 Enterprise Storage Analytics | 2022-03-12 | 3.6 LOW | 6.0 MEDIUM |
| Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. A local high privileged malicious user may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
| CVE-2021-27757 | 1 Hcltech | 1 Bigfix Insights | 2022-03-10 | 5.0 MEDIUM | 7.5 HIGH |
| " Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information." | |||||
| CVE-2021-3551 | 4 Dogtagpki, Fedoraproject, Oracle and 1 more | 12 Dogtagpki, Fedora, Linux and 9 more | 2022-02-28 | 4.4 MEDIUM | 7.8 HIGH |
| A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality. | |||||
| CVE-2022-21818 | 1 Nvidia | 1 License System | 2022-02-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges, resulting in limited impact to both confidentiality and integrity. | |||||
| CVE-2021-42642 | 1 Printerlogic | 1 Web Stack | 2022-02-08 | 5.0 MEDIUM | 7.5 HIGH |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer. | |||||