Total
1109 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-50310 | 1 Ibm | 1 Cics Transaction Gateway | 2024-11-05 | 4.9 Medium |
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. | ||||
CVE-2024-45004 | 1 Linux | 1 Linux Kernel | 2024-11-05 | 5.5 Medium |
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload in the blob field so that every subsequent read (export) will simply convert this field to hex and send it to userspace. With DCP-based trusted keys, we decrypt the blob encryption key (BEK) in the Kernel due hardware limitations and then decrypt the blob payload. BEK decryption is done in-place which means that the trusted key blob field is modified and it consequently holds the BEK in plain text. Every subsequent read of that key thus send the plain text BEK instead of the encrypted BEK to userspace. This issue only occurs when importing a trusted DCP-based key and then exporting it again. This should rarely happen as the common use cases are to either create a new trusted key and export it, or import a key blob and then just use it without exporting it again. Fix this by performing BEK decryption and encryption in a dedicated buffer. Further always wipe the plain text BEK buffer to prevent leaking the key via uninitialized memory. | ||||
CVE-2024-20462 | 1 Cisco | 4 Ata 191, Ata 191 Firmware, Ata 192 and 1 more | 2024-10-31 | 5.5 Medium |
A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device. This vulnerability is due to incorrect sanitization of HTML content from an affected device. A successful exploit could allow the attacker to view passwords that belong to other users. | ||||
CVE-2024-31800 | 1 Gncchome | 2 Gncc C2, Gncc C2 Firmware | 2024-10-30 | 6.8 Medium |
Authentication Bypass in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to gain a privileged command shell via the UART Debugging Port. | ||||
CVE-2023-49233 | 1 Visual Planning | 1 Admin Center | 2024-10-24 | 8.8 High |
Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level. | ||||
CVE-2024-9677 | 1 Zyxel | 6 Usg Flex 100h Firmware, Usg Flex 100hp Firmware, Usg Flex 200h Firmware and 3 more | 2024-10-23 | 5.5 Medium |
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. | ||||
CVE-2024-43812 | 1 Kieback\&peter | 10 Ddc4002 Firmware, Ddc4002e Firmware, Ddc4020e Firmware and 7 more | 2024-10-23 | 8.4 High |
Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system. | ||||
CVE-2024-44000 | 1 Litespeedtech | 1 Litespeed Cache | 2024-10-23 | 9.8 Critical |
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1. | ||||
CVE-2024-7755 | 2024-10-18 | 8.2 High | ||
The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials. | ||||
CVE-2024-49396 | 1 Elvaco | 1 Cme3100 Firmware | 2024-10-18 | N/A |
The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information. | ||||
CVE-2024-47161 | 1 Jetbrains | 1 Teamcity | 2024-10-11 | 4.3 Medium |
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API | ||||
CVE-2024-34542 | 1 Advantech | 2 Adam-5630, Adam-5630 Firmware | 2024-10-07 | 5.7 Medium |
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process. | ||||
CVE-2024-37187 | 1 Advantech | 2 Adam-5550, Adam-5550 Firmware | 2024-10-07 | 5.7 Medium |
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding. | ||||
CVE-2024-39278 | 1 Echostar | 2 Fusion, Hughes Wl3000 | 2024-10-04 | 4.2 Medium |
Credentials to access device configuration information stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuration data. | ||||
CVE-2024-20489 | 1 Cisco | 1 Ios Xr | 2024-10-03 | 8.4 High |
A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials. This vulnerability is due to improper storage of the unencrypted database credentials on the device that is running Cisco IOS XR Software. An attacker could exploit this vulnerability by accessing the configuration files on an affected system. A successful exploit could allow the attacker to view MongoDB credentials. | ||||
CVE-2024-3082 | 1 Proges | 3 Sensor Net Connect, Sensor Net Connect Firmware V2, Sensor Net Connect V2 | 2024-09-30 | 4.2 Medium |
A “CWE-256: Plaintext Storage of a Password” affecting the administrative account allows an attacker with physical access to the machine to retrieve the password in cleartext unless specific security measures at other layers (e.g., full-disk encryption) have been enabled. | ||||
CVE-2024-40703 | 1 Ibm | 2 Cognos Analytics, Cognos Analytics Reports | 2024-09-27 | 5.5 Medium |
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and IBM Cognos Analytics Reports for iOS 11.0.0.7 could allow a local attacker to obtain sensitive information in the form of an API key. An attacker could use this information to launch further attacks against affected applications. | ||||
CVE-2024-9014 | 1 Postgresql | 1 Pgadmin 4 | 2024-09-26 | 9.9 Critical |
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. | ||||
CVE-2024-44815 | 2 Hathway, Skyworthdigital | 3 Skyworth Cm5100-511, Skyworth Cm5100-511 Firmware, Cm5100 Firmware | 2024-09-25 | 8 High |
Vulnerability in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physically proximate attacker to obtain user credentials via SPI flash Firmware W25Q64JV. | ||||
CVE-2024-47162 | 1 Jetbrains | 1 Youtrack | 2024-09-24 | 4.1 Medium |
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page |