Total
1109 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-2114 | 1 Jenkins | 1 S3 Publisher | 2024-11-21 | 7.5 High |
| Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | ||||
| CVE-2020-2107 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.3 Medium |
| Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | ||||
| CVE-2020-2095 | 1 Jenkins | 1 Redgate Sql Change Automation | 2024-11-21 | 4.3 Medium |
| Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | ||||
| CVE-2020-2078 | 1 Sick | 1 Package Analytics | 2024-11-21 | 6.5 Medium |
| Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. An authorized attacker could access these stored plaintext credentials and gain access to the ftp service. Storing a password in plaintext allows attackers to easily gain access to systems, potentially compromising personal information or other sensitive information. | ||||
| CVE-2020-29583 | 1 Zyxel | 60 Atp100, Atp100 Firmware, Atp100w and 57 more | 2024-11-21 | 9.8 Critical |
| Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. | ||||
| CVE-2020-29380 | 1 Vsolcn | 10 V1600d, V1600d-mini, V1600d-mini Firmware and 7 more | 2024-11-21 | 5.9 Medium |
| An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-the-middle attack on the management of the appliance. | ||||
| CVE-2020-29323 | 1 Dlink | 2 Dir-885l-mfc, Dir-885l-mfc Firmware | 2024-11-21 | 7.5 High |
| The D-link router DIR-885L-MFC 1.15b02, v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | ||||
| CVE-2020-29322 | 1 Dlink | 2 Dir-880l, Dir-880l Firmware | 2024-11-21 | 7.5 High |
| The D-Link router DIR-880L 1.07 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | ||||
| CVE-2020-29321 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2024-11-21 | 7.5 High |
| The D-Link router DIR-868L 3.01 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | ||||
| CVE-2020-29054 | 1 Cdatatec | 56 72408a, 72408a Firmware, 9008a and 53 more | 2024-11-21 | 9.8 Critical |
| An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. Attackers can use "show system infor" to discover cleartext TELNET credentials. | ||||
| CVE-2020-29005 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 7.5 High |
| The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. | ||||
| CVE-2020-28865 | 1 Powerjob | 1 Powerjob | 2024-11-21 | 7.5 High |
| An issue was discovered in PowerJob through 3.2.2, allows attackers to change arbitrary user passwords via the id parameter to /appinfo/save. | ||||
| CVE-2020-28390 | 1 Siemens | 1 Opcenter Execution Core | 2024-11-21 | 5.5 Medium |
| A vulnerability has been identified in Opcenter Execution Core (V8.2), Opcenter Execution Core (V8.3). The application contains an information leakage vulnerability in the handling of web client sessions. A local attacker who has access to the Web Client Session Storage could disclose the passwords of currently logged-in users. | ||||
| CVE-2020-28330 | 1 Barco | 2 Wepresent Wipg-1600w, Wepresent Wipg-1600w Firmware | 2024-11-21 | 6.5 Medium |
| Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device. | ||||
| CVE-2020-28219 | 1 Schneider-electric | 2 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 | 2024-11-21 | 7.8 High |
| A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX. | ||||
| CVE-2020-27888 | 1 Ui | 4 Unifi Controller, Unifi Controller Firmware, Unifi Meshing Access Point and 1 more | 2024-11-21 | 7.5 High |
| An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0.28 devices. Cached credentials are not erased from an access point returning wirelessly from a disconnected state. This may provide unintended network access. | ||||
| CVE-2020-27839 | 1 Redhat | 2 Ceph, Ceph Storage | 2024-11-21 | 5.4 Medium |
| A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||
| CVE-2020-27831 | 1 Redhat | 1 Quay | 2024-11-21 | 4.3 Medium |
| A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications. | ||||
| CVE-2020-27781 | 2 Fedoraproject, Redhat | 6 Fedora, Ceph, Ceph Storage and 3 more | 2024-11-21 | 7.1 High |
| User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0. | ||||
| CVE-2020-27688 | 1 Robware | 1 Rvtools | 2024-11-21 | 7.5 High |
| RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances. | ||||