Total
1025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6794 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Thunderbird | 2022-01-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5. | |||||
| CVE-2021-42023 | 1 Siemens | 2 Modelsim, Questa | 2021-12-20 | 2.1 LOW | 6.5 MEDIUM |
| A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). The RSA white-box implementation in affected applications insufficiently protects the built-in private keys that are required to decrypt electronic intellectual property (IP) data in accordance with the IEEE 1735 recommended practice. This could allow a sophisticated attacker to discover the keys, bypassing the protection intended by the IEEE 1735 recommended practice. | |||||
| CVE-2021-37187 | 1 Digi | 17 Transport Dr64, Transport Dr64 Firmware, Transport Sr44 and 14 more | 2021-12-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may read a password file (with reversible passwords) from the device, which allows decoding of other users' passwords. | |||||
| CVE-2021-20146 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2021-12-13 | 10.0 HIGH | 9.8 CRITICAL |
| An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services. | |||||
| CVE-2020-27413 | 1 Mahadiscom | 1 Mahavitaran | 2021-12-08 | 1.9 LOW | 4.2 MEDIUM |
| An issue was discovered in Mahavitaran android application 7.50 and below, allows local attackers to read cleartext username and password while the user is logged into the application. | |||||
| CVE-2019-4724 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Content Backup page. IBM X-Force ID: 172130. | |||||
| CVE-2019-4723 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings in New Data Server Connection page. IBM X-Force ID: 172129. | |||||
| CVE-2021-40503 | 1 Sap | 1 Gui For Windows | 2021-11-29 | 2.1 LOW | 7.8 HIGH |
| An information disclosure vulnerability exists in SAP GUI for Windows - versions < 7.60 PL13, 7.70 PL4, which allows an attacker with sufficient privileges on the local client-side PC to obtain an equivalent of the user’s password. With this highly sensitive data leaked, the attacker would be able to logon to the backend system the SAP GUI for Windows was connected to and launch further attacks depending on the authorizations of the user. | |||||
| CVE-2020-15157 | 3 Canonical, Debian, Linuxfoundation | 3 Ubuntu Linux, Debian Linux, Containerd | 2021-11-18 | 2.6 LOW | 6.1 MEDIUM |
| In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. | |||||
| CVE-2015-5013 | 1 Ibm | 6 Security Access Manager 9.0, Security Access Manager 9.0 Firmware, Security Access Manager For Mobile and 3 more | 2021-11-09 | 2.1 LOW | 5.5 MEDIUM |
| The IBM Security Access Manager appliance includes configuration files that contain obfuscated plaintext-passwords which authenticated users can access. | |||||
| CVE-2019-18256 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2021-10-29 | 2.1 LOW | 4.6 MEDIUM |
| BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit. | |||||
| CVE-2019-10214 | 5 Buildah Project, Libpod Project, Opensuse and 2 more | 6 Buildah, Libpod, Leap and 3 more | 2021-10-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. | |||||
| CVE-2021-36178 | 1 Fortinet | 1 Fortisdnconnector | 2021-10-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| A insufficiently protected credentials in Fortinet FortiSDNConnector version 1.1.7 and below allows attacker to disclose third-party devices credential information via configuration page lookup. | |||||
| CVE-2021-36170 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2021-10-14 | 2.1 LOW | 3.2 LOW |
| An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7.0.0 and 6.4.6 and below may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext. | |||||
| CVE-2020-24680 | 1 Abb | 2 Symphony \+ Historian, Symphony \+ Operations | 2021-10-07 | 4.6 MEDIUM | 7.0 HIGH |
| In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database. | |||||
| CVE-2021-41297 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 4.0 MEDIUM | 8.8 HIGH |
| ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text. | |||||
| CVE-2021-41300 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2021-10-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. | |||||
| CVE-2021-38863 | 1 Ibm | 1 Security Verify Bridge | 2021-09-29 | 2.1 LOW | 5.5 MEDIUM |
| IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a locally authenticated user. IBM X-Force ID: 208154. | |||||
| CVE-2021-20434 | 1 Ibm | 1 Security Verify Bridge | 2021-09-29 | 2.1 LOW | 4.4 MEDIUM |
| IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 196346. | |||||
| CVE-2021-29811 | 1 Ibm | 1 Tivoli Netcool\/omnibus Webgui | 2021-09-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 stores user credentials in plain clear text which can be read by an authenticated admin user. IBM X-Force ID: 204329. | |||||