Total
1070 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-6969 | 1 Automationdirect | 22 C-more Ea9-rhi, C-more Ea9-rhi Firmware, C-more Ea9-t10cl and 19 more | 2024-08-04 | 9.8 Critical |
It is possible to unmask credentials and other sensitive information on “unprotected” project files, which may allow an attacker to remotely access the C-More Touch Panels EA9 series: firmware versions prior to 6.53 and manipulate system configurations. | ||||
CVE-2020-6794 | 3 Canonical, Mozilla, Redhat | 4 Ubuntu Linux, Thunderbird, Enterprise Linux and 1 more | 2024-08-04 | 6.5 Medium |
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5. | ||||
CVE-2020-6874 | 1 Zte | 2 Zxiptv, Zxiptv Firmware | 2024-08-04 | 9.1 Critical |
A ZTE product is impacted by the cryptographic issues vulnerability. The encryption algorithm is not properly used, so remote attackers could use this vulnerability for account credential enumeration attack or brute-force attack for password guessing. This affects: ZXIPTV, ZXIPTV-WEB-PV5.09.08.04. | ||||
CVE-2020-6239 | 1 Sap | 1 Business One | 2024-08-04 | 4.4 Medium |
Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure. | ||||
CVE-2020-6195 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-04 | 9.8 Critical |
SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to Information Disclosure. It involves social engineering in order to gain access to system and If password is known, it would give administrative rights to the attacker to read/modify delete the data and rights within the system. | ||||
CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2024-08-04 | 7.8 High |
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | ||||
CVE-2020-5721 | 1 Mikrotik | 1 Winbox | 2024-08-04 | 5.5 Medium |
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router. | ||||
CVE-2020-5260 | 7 Canonical, Debian, Fedoraproject and 4 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2024-08-04 | 9.3 Critical |
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. | ||||
CVE-2020-5263 | 1 Auth0 | 1 Auth0.js | 2024-08-04 | 5.5 Medium |
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3 | ||||
CVE-2020-4095 | 1 Hcltech | 1 Bigfix Platform | 2024-08-04 | 6.0 Medium |
"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." | ||||
CVE-2020-3841 | 1 Apple | 3 Ipados, Iphone Os, Safari | 2024-08-04 | 6.5 Medium |
The issue was addressed with improved UI handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, Safari 13.0.5. A local user may unknowingly send a password unencrypted over the network. | ||||
CVE-2020-2319 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2024-08-04 | 6.5 Medium |
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2020-2318 | 1 Jenkins | 1 Mail Commander | 2024-08-04 | 6.5 Medium |
Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | ||||
CVE-2020-2314 | 1 Jenkins | 1 Appspider | 2024-08-04 | 5.5 Medium |
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2020-2297 | 1 Jenkins | 1 Sms Notification | 2024-08-04 | 3.3 Low |
Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2020-2209 | 1 Jenkins | 1 Testcomplete Support | 2024-08-04 | 4.3 Medium |
Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | ||||
CVE-2020-2213 | 1 Jenkins | 1 White Source | 2024-08-04 | 4.3 Medium |
Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system. | ||||
CVE-2020-2145 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2024-08-04 | 5.5 Medium |
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system. | ||||
CVE-2020-2212 | 1 Jenkins | 1 Github Coverage Reporter | 2024-08-04 | 4.3 Medium |
Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | ||||
CVE-2020-2291 | 1 Jenkins | 1 Couchdb-statistics | 2024-08-04 | 3.3 Low |
Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. |