Total
570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-22300 | 1 Huawei | 2 Ecns280 Td, Ecns280 Td Firmware | 2024-08-03 | 4.1 Medium |
| There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods. | ||||
| CVE-2021-22206 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 6.8 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text, | ||||
| CVE-2021-22194 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 5.7 Medium |
| In all versions of GitLab, marshalled session keys were being stored in Redis. | ||||
| CVE-2021-21734 | 1 Zte | 16 Zxa10 F809, Zxa10 F809 Firmware, Zxa10 F819 and 13 more | 2024-08-03 | 6.5 Medium |
| Some PON MDU devices of ZTE stored sensitive information in plaintext, and users with login authority can obtain it by inputing command. This affects: ZTE PON MDU device ZXA10 F821 V1.7.0P3T22, ZXA10 F822 V1.4.3T6, ZXA10 F819 V1.2.1T5, ZXA10 F832 V1.1.1T7, ZXA10 F839 V1.1.0T8, ZXA10 F809 V3.2.1T1, ZXA10 F822P V1.1.1T7, ZXA10 F832 V2.00.00.01 | ||||
| CVE-2021-21339 | 1 Typo3 | 1 Typo3 | 2024-08-03 | 5.9 Medium |
| TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. | ||||
| CVE-2021-20827 | 1 Idec | 7 Data File Manager, Microsmart Fc6a, Microsmart Fc6a Firmware and 4 more | 2024-08-03 | 7.5 High |
| Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted. | ||||
| CVE-2021-20162 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-08-03 | 4.9 Medium |
| Trendnet AC2600 TEW-827DRU version 2.08B01 stores credentials in plaintext. Usernames and passwords are stored in plaintext in the config files on the device. For example, /etc/config/cameo contains the admin password in plaintext. | ||||
| CVE-2021-20171 | 1 Netgear | 2 Rax43, Rax43 Firmware | 2024-08-03 | 5.5 Medium |
| Netgear RAX43 version 1.0.3.96 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device. | ||||
| CVE-2021-3585 | 1 Openstack | 1 Tripleo Heat Templates | 2024-08-03 | 5.5 Medium |
| A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager. | ||||
| CVE-2021-3551 | 4 Dogtagpki, Fedoraproject, Oracle and 1 more | 12 Dogtagpki, Fedora, Linux and 9 more | 2024-08-03 | 7.8 High |
| A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2021-3473 | 1 Lenovo | 38 Thinkagile Hx1320, Thinkagile Hx2320, Thinkagile Hx3320 and 35 more | 2024-08-03 | 4.5 Medium |
| An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC. | ||||
| CVE-2021-1865 | 1 Apple | 2 Ipados, Iphone Os | 2024-08-03 | 5.0 Medium |
| An issue obscuring passwords in screenshots was addressed with improved logic. This issue is fixed in iOS 14.5 and iPadOS 14.5. A user's password may be visible on screen. | ||||
| CVE-2021-0337 | 1 Google | 1 Android | 2024-08-03 | 7.8 High |
| In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195 | ||||
| CVE-2022-45868 | 1 H2database | 1 H2 | 2024-08-03 | 8.4 High |
| The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220. | ||||
| CVE-2022-48310 | 1 Sophos | 1 Connect | 2024-08-03 | 5.5 Medium |
| An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90. | ||||
| CVE-2022-48073 | 1 Phicomm | 2 K2, K2 Firmware | 2024-08-03 | 7.5 High |
| Phicomm K2G v22.6.3.20 was discovered to store the root and admin passwords in plaintext. | ||||
| CVE-2022-48071 | 1 Phicomm | 2 K2, K2 Firmware | 2024-08-03 | 7.5 High |
| Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext. | ||||
| CVE-2022-46155 | 1 Airtable | 1 Airtable | 2024-08-03 | 7.6 High |
| Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code. | ||||
| CVE-2022-46141 | 1 Siemens | 1 Simatic Step 7 | 2024-08-03 | 4.2 Medium |
| A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application. | ||||
| CVE-2022-45897 | 1 Xerox | 2 Workcentre 3550, Workcentre 3550 Firmware | 2024-08-03 | 6.5 Medium |
| On Xerox WorkCentre 3550 25.003.03.000 devices, an authenticated attacker can view the SMB server settings and can obtain the stored cleartext credentials associated with those settings. | ||||