Total
1025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4693 | 1 Pickplugins | 1 User Verification | 2025-04-02 | N/A | 9.8 CRITICAL |
| The User Verification WordPress plugin before 1.0.94 was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website. | |||||
| CVE-2023-6259 | 1 Brivo | 4 Acs100, Acs100 Firmware, Acs300 and 1 more | 2025-04-01 | N/A | 4.6 MEDIUM |
| Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3. | |||||
| CVE-2023-35789 | 1 Rabbitmq-c Project | 1 Rabbitmq-c | 2025-03-30 | N/A | 5.5 MEDIUM |
| An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. | |||||
| CVE-2025-2908 | 2025-03-28 | N/A | N/A | ||
| The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files. | |||||
| CVE-2025-2277 | 1 Devolutions | 1 Devolutions Server | 2025-03-28 | N/A | N/A |
| Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking. | |||||
| CVE-2024-29071 | 2025-03-28 | N/A | N/A | ||
| HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings. | |||||
| CVE-2022-33954 | 2 Ibm, Microsoft | 2 Robotic Process Automation, Windows | 2025-03-27 | N/A | 4.6 MEDIUM |
| IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected credentials. | |||||
| CVE-2015-5955 | 1 Owncloud | 1 Owncloud Client | 2025-03-26 | 5.0 MEDIUM | N/A |
| ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers. | |||||
| CVE-2022-43460 | 1 Fujifilm | 1 Driver Distributor | 2025-03-21 | N/A | 7.5 HIGH |
| Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted. | |||||
| CVE-2023-24619 | 1 Redpanda | 1 Redpanda | 2025-03-21 | N/A | 5.5 MEDIUM |
| Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12. | |||||
| CVE-2024-54471 | 1 Apple | 1 Macos | 2025-03-20 | N/A | 5.5 MEDIUM |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials. | |||||
| CVE-2023-25191 | 1 Ami | 1 Megarac Sp-x | 2025-03-19 | N/A | 7.5 HIGH |
| AMI MegaRAC SPX devices allow Password Disclosure through Redfish. The fixed versions are SPx_12-update-7.00 and SPx_13-update-5.00. | |||||
| CVE-2023-23466 | 1 Mediacp | 1 Media Control Panel | 2025-03-19 | N/A | 7.5 HIGH |
| Media CP Media Control Panel latest version. Insufficiently protected credential change. | |||||
| CVE-2022-38714 | 1 Ibm | 2 Cloud Pak For Data, Datastage | 2025-03-18 | N/A | 4.9 MEDIUM |
| IBM DataStage on Cloud Pak for Data 4.0.6 to 4.5.2 stores sensitive credential information that can be read by a privileged user. IBM X-Force ID: 235060. | |||||
| CVE-2022-45599 | 1 Aztech | 2 Wmb250ac, Wmb250ac Firmware | 2025-03-17 | N/A | 9.8 CRITICAL |
| Aztech WMB250AC Mesh Routers Firmware Version 016 2020 is vulnerable to PHP Type Juggling in file /var/www/login.php, allows attackers to gain escalated privileges only when specific conditions regarding a given accounts hashed password. | |||||
| CVE-2017-9248 | 2 Progress, Telerik | 2 Sitefinity, Ui For Asp.net Ajax | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. | |||||
| CVE-2021-30116 | 1 Kaseya | 2 Vsa Agent, Vsa Server | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system. | |||||
| CVE-2024-47805 | 1 Jenkins | 1 Credentials | 2025-03-14 | N/A | 7.5 HIGH |
| Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI. | |||||
| CVE-2023-50945 | 3 Ibm, Linux, Microsoft | 4 Aix, Common Licensing, Linux Kernel and 1 more | 2025-03-11 | N/A | 5.5 MEDIUM |
| IBM Common Licensing 9.0 stores user credentials in plain clear text which can be read by a local user. | |||||
| CVE-2024-41770 | 1 Ibm | 1 Engineering Requirements Management Doors Next | 2025-03-07 | N/A | 7.5 HIGH |
| IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. | |||||