Total
1109 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-27785 | 1 Hcltechsw | 1 Hcl Commerce | 2024-11-21 | 3.9 Low |
| HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website. | ||||
| CVE-2021-27495 | 1 Ypsomed | 2 Mylife, Mylife Cloud | 2024-11-21 | 7.1 High |
| Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. | ||||
| CVE-2021-27491 | 1 Ypsomed | 2 Mylife, Mylife Cloud | 2024-11-21 | 7.5 High |
| Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process. | ||||
| CVE-2021-27372 | 1 Realtek | 2 Xpon Rtl9601d, Xpon Rtl9601d Software Development Kit | 2024-11-21 | 9.8 Critical |
| Realtek xPON RTL9601D SDK 1.9 stores passwords in plaintext which may allow attackers to possibly gain access to the device with root permissions via the build-in network monitoring tool and execute arbitrary commands. | ||||
| CVE-2021-27187 | 1 Xn--b1agzlht | 1 Fx Aggregator Terminal Client | 2024-11-21 | 7.5 High |
| The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked. | ||||
| CVE-2021-25742 | 2 Kubernetes, Netapp | 2 Ingress-nginx, Trident | 2024-11-21 | 7.6 High |
| A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster. | ||||
| CVE-2021-25284 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2024-11-21 | 4.4 Medium |
| An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. | ||||
| CVE-2021-23222 | 2 Postgresql, Redhat | 3 Postgresql, Enterprise Linux, Rhel Software Collections | 2024-11-21 | 5.9 Medium |
| A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. | ||||
| CVE-2021-23207 | 1 Fresenius-kabi | 7 Agilia Connect, Agilia Partner Maintenance Software, Link\+ Agilia and 4 more | 2024-11-21 | 6.5 Medium |
| An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users. | ||||
| CVE-2021-23196 | 1 Fresenius-kabi | 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more | 2024-11-21 | 7.3 High |
| The web application on Agilia Link+ version 3.0 implements authentication and session management mechanisms exclusively on the client-side and does not protect authentication attributes sufficiently. | ||||
| CVE-2021-23019 | 1 F5 | 1 Nginx Controller | 2024-11-21 | 7.8 High |
| The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. | ||||
| CVE-2021-22923 | 7 Fedoraproject, Haxx, Netapp and 4 more | 25 Fedora, Curl, Cloud Backup and 22 more | 2024-11-21 | 5.3 Medium |
| When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. | ||||
| CVE-2021-22798 | 1 Schneider-electric | 2 Conext Combox, Conext Combox Firmware | 2024-11-21 | 7.5 High |
| A CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause Sensitive data such as login credentials being exposed when a Network is sniffed. Affected Product: Conext� ComBox (All Versions) | ||||
| CVE-2021-22781 | 1 Schneider-electric | 3 Ecostruxure Control Expert, Ecostruxure Process Expert, Remoteconnect | 2024-11-21 | 5.5 Medium |
| Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause a leak of SMTP credential used for mailbox authentication when an attacker can access a project file. | ||||
| CVE-2021-22780 | 1 Schneider-electric | 3 Ecostruxure Control Expert, Ecostruxure Process Expert, Remoteconnect | 2024-11-21 | 7.1 High |
| Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project file protected by a password when this file is shared with untrusted sources. An attacker may bypass the password protection and be able to view and modify a project file. | ||||
| CVE-2021-22778 | 1 Schneider-electric | 3 Ecostruxure Control Expert, Ecostruxure Process Expert, Remoteconnect | 2024-11-21 | 7.1 High |
| Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function blocks to be read or modified by unauthorized users when accessing a project file. | ||||
| CVE-2021-22681 | 1 Rockwellautomation | 20 Compact Guardlogix 5370, Compact Guardlogix 5380, Compactlogix 1768 and 17 more | 2024-11-21 | 9.8 Critical |
| Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. | ||||
| CVE-2021-22132 | 3 Elastic, Oracle, Redhat | 4 Elasticsearch, Communications Cloud Native Core Automated Test Suite, Camel Quarkus and 1 more | 2024-11-21 | 4.8 Medium |
| Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2 | ||||
| CVE-2021-22115 | 1 Cloudfoundry | 2 Capi-release, Cf-deployment | 2024-11-21 | 6.5 Medium |
| Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller. | ||||
| CVE-2021-21681 | 1 Jenkins | 1 Nomad | 2024-11-21 | 5.5 Medium |
| Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | ||||