Total
570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-6794 | 3 Canonical, Mozilla, Redhat | 4 Ubuntu Linux, Thunderbird, Enterprise Linux and 1 more | 2024-08-04 | 6.5 Medium |
| If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5. | ||||
| CVE-2020-6648 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-08-04 | 5.3 Medium |
| A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command. | ||||
| CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2024-08-04 | 7.8 High |
| In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | ||||
| CVE-2020-5805 | 1 Marvell | 1 Qconvergeconslole Gui | 2024-08-04 | 8.8 High |
| In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored in cleartext in tomcat-users.xml. OS-level users on the QCC host who are not authorized to use QCC may use the plaintext credentials to login to QCC. | ||||
| CVE-2020-5723 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2024-08-04 | 9.8 Critical |
| The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges. | ||||
| CVE-2020-4095 | 1 Hcltech | 1 Bigfix Platform | 2024-08-04 | 6.0 Medium |
| "BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." | ||||
| CVE-2020-2274 | 1 Jenkins | 1 Elastest | 2024-08-04 | 5.5 Medium |
| Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
| CVE-2020-2177 | 1 Jenkins | 1 Copr | 2024-08-04 | 4.3 Medium |
| Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||||
| CVE-2020-2154 | 1 Jenkins | 1 Zephyr For Jira Test Management | 2024-08-04 | 5.5 Medium |
| Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system. | ||||
| CVE-2021-45491 | 1 3cx | 1 3cx | 2024-08-04 | 6.5 Medium |
| 3CX System through 2022-03-17 stores cleartext passwords in a database. | ||||
| CVE-2021-45077 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-08-04 | 7.5 High |
| Netgear Nighthawk R6700 version 1.0.4.120 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device. | ||||
| CVE-2021-45025 | 1 Rocketsoftware | 1 Ags-zena | 2024-08-04 | 7.5 High |
| ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie. | ||||
| CVE-2021-43388 | 1 Unisys | 1 Cargo Mobile | 2024-08-04 | 7.5 High |
| Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. The issue is addressed by ensuring that the allowBackup flag (in the manifest) is False. | ||||
| CVE-2021-42763 | 1 Couchbase | 1 Couchbase Server | 2024-08-04 | 7.5 High |
| Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request. | ||||
| CVE-2021-42642 | 1 Printerlogic | 1 Web Stack | 2024-08-04 | 7.5 High |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer. | ||||
| CVE-2021-42370 | 1 Xorux | 2 Lpar2rrd, Stor2rrd | 2024-08-04 | 7.5 High |
| A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.) | ||||
| CVE-2021-42066 | 1 Sap | 1 Business One | 2024-08-04 | 4.4 Medium |
| SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able to completely compromise confidentiality, integrity, and availability of the application. | ||||
| CVE-2021-41639 | 1 Melag | 1 Ftp Server | 2024-08-04 | 5.5 Medium |
| MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file. | ||||
| CVE-2021-41090 | 1 Grafana | 1 Agent | 2024-08-04 | 6.5 Medium |
| Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API. | ||||
| CVE-2021-40527 | 1 Onepeloton | 1 Peloton | 2024-08-04 | 8.6 High |
| Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application. | ||||