Total
1070 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28219 | 1 Schneider-electric | 2 Ecostruxure Geo Scada Expert 2019, Ecostruxure Geo Scada Expert 2020 | 2024-08-04 | 7.8 High |
| A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX. | ||||
| CVE-2020-27888 | 1 Ui | 4 Unifi Controller, Unifi Controller Firmware, Unifi Meshing Access Point and 1 more | 2024-08-04 | 7.5 High |
| An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0.28 devices. Cached credentials are not erased from an access point returning wirelessly from a disconnected state. This may provide unintended network access. | ||||
| CVE-2020-27839 | 1 Redhat | 2 Ceph, Ceph Storage | 2024-08-04 | 5.4 Medium |
| A flaw was found in ceph-dashboard. The JSON Web Token (JWT) used for user authentication is stored by the frontend application in the browser’s localStorage which is potentially vulnerable to attackers via XSS attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||
| CVE-2020-27831 | 1 Redhat | 1 Quay | 2024-08-04 | 4.3 Medium |
| A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications. | ||||
| CVE-2020-27781 | 2 Fedoraproject, Redhat | 6 Fedora, Ceph, Ceph Storage and 3 more | 2024-08-04 | 7.1 High |
| User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0. | ||||
| CVE-2020-27688 | 1 Robware | 1 Rvtools | 2024-08-04 | 7.5 High |
| RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances. | ||||
| CVE-2020-27554 | 1 Basetech | 2 Ge-131 Bt-1837836, Ge-131 Bt-1837836 Firmware | 2024-08-04 | 7.5 High |
| Cleartext Transmission of Sensitive Information vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 exists which could leak sensitive information transmitted between the mobile app and the camera device. | ||||
| CVE-2020-27557 | 1 Basetech | 2 Ge-131 Bt-1837836, Ge-131 Bt-1837836 Firmware | 2024-08-04 | 5.5 Medium |
| Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials. | ||||
| CVE-2020-27413 | 1 Mahadiscom | 1 Mahavitaran | 2024-08-04 | 4.2 Medium |
| An issue was discovered in Mahavitaran android application 7.50 and below, allows local attackers to read cleartext username and password while the user is logged into the application. | ||||
| CVE-2020-27270 | 1 Sooil | 6 Anydana-a, Anydana-a Firmware, Anydana-i and 3 more | 2024-08-04 | 5.7 Medium |
| SOOIL Developments CoLtd DiabecareRS, AnyDana-i ,AnyDana-A, communication protocol of the insulin pump & AnyDana-i,AnyDana-A mobile apps doesnt use adequate measures to protect encryption keys in transit which allows unauthenticated physically proximate attacker to sniff keys via (BLE). | ||||
| CVE-2020-27258 | 1 Sooil | 4 Anydana-a, Anydana-i, Dana Diabecare Rs and 1 more | 2024-08-04 | 6.5 Medium |
| In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, an information disclosure vulnerability in the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows unauthenticated attackers to extract the pump’s keypad lock PIN via Bluetooth Low Energy. | ||||
| CVE-2020-26508 | 1 Canon | 2 Oce Colorwave 3500, Oce Colorwave 3500 Firmware | 2024-08-04 | 9.8 Critical |
| The WebTools component on Canon Oce ColorWave 3500 5.1.1.0 devices allows attackers to retrieve stored SMB credentials via the export feature, even though these are intentionally inaccessible in the UI. | ||||
| CVE-2020-26515 | 1 Intland | 1 Codebeamer | 2024-08-04 | 7.5 High |
| An insufficiently protected credentials issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The remember-me cookie (CB_LOGIN) issued by the application contains the encrypted user's credentials. However, due to a bug in the application code, those credentials are encrypted using a NULL encryption key. | ||||
| CVE-2020-26149 | 1 Linuxfoundation | 3 Nats.deno, Nats.js, Nats.ws | 2024-08-04 | 7.5 High |
| NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server. | ||||
| CVE-2020-25235 | 1 Siemens | 2 Logo\! 8 Bm, Logo\! 8 Bm Firmware | 2024-08-04 | 7.5 High |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The password used for authentication for the LOGO! Website and the LOGO! Access Tool is sent in a recoverable format. An attacker with access to the network traffic could derive valid logins. | ||||
| CVE-2020-25184 | 3 Rockwellautomation, Schneider-electric, Xylem | 31 Aadvance Controller, Isagraf Free Runtime, Isagraf Runtime and 28 more | 2024-08-04 | 7.8 High |
| Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure. | ||||
| CVE-2020-25175 | 1 Gehealthcare | 224 1.5t Brivo Mr355, 1.5t Brivo Mr355 Firmware, 3.0t Signa Hd 16 and 221 more | 2024-08-04 | 9.8 Critical |
| GE Healthcare Imaging and Ultrasound Products may allow specific credentials to be exposed during transport over the network. | ||||
| CVE-2020-24622 | 1 Sonatype | 1 Nexus | 2024-08-04 | 4.9 Medium |
| In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user. | ||||
| CVE-2020-24396 | 1 Hom.ee | 2 Brain Cube, Brain Cube Core | 2024-08-04 | 7.5 High |
| homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images. This allows remote attackers to use the support server as a SOCKS proxy. | ||||
| CVE-2020-24227 | 1 Playgroundsessions | 1 Playground Sessions | 2024-08-04 | 7.5 High |
| Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password. | ||||