| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the "Additional options" line edit. |
| signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information. |
| rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable |
| D-Link DIR-100 4.03B07 has PPTP and poe information disclosure |
| D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script |
| LastPass prior to 2.5.1 has an insecure PIN implementation. |
| CloudForms stores user passwords in recoverable format |
| Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312. |
| The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-3311. |
| Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords. |
| webauth before 4.6.1 has authentication credential disclosure |
| General Electric D20ME devices are not properly configured and reveal plaintext passwords. |
| Claws Mail vCalendar plugin: credentials exposed on interface |
| Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved. |
| MySQL-GUI-tools (mysql-administrator) leaks passwords into process list after with launch of mysql text console |
| stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer. |
| In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability. |
| An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package |
| Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request. |
| Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allow remote administrators to read proxy-server accounts passwords via HTTP GET request. |
