Filtered by CWE-522
Filtered by vendor Subscriptions
Total 1126 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-9250 2024-12-20 3.3 Low
There is an insufficient authentication vulnerability in some Huawei smart phone. An unauthenticated, local attacker can crafts software package to exploit this vulnerability. Due to insufficient verification, successful exploitation may impact the service. (Vulnerability ID: HWPSIRT-2019-12302) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9250.
CVE-2024-56354 2024-12-20 5.5 Medium
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission
CVE-2022-33954 1 Ibm 1 Robotic Process Automation 2024-12-19 4.6 Medium
IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected credentials.
CVE-2023-37400 1 Ibm 1 Aspera Faspex 2024-12-19 7.8 High
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to escalate their privileges due to insecure credential storage. IBM X-Force ID: 259677.
CVE-2024-54471 1 Apple 1 Macos 2024-12-19 5.5 Medium
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials.
CVE-2024-45004 1 Linux 1 Linux Kernel 2024-12-19 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload in the blob field so that every subsequent read (export) will simply convert this field to hex and send it to userspace. With DCP-based trusted keys, we decrypt the blob encryption key (BEK) in the Kernel due hardware limitations and then decrypt the blob payload. BEK decryption is done in-place which means that the trusted key blob field is modified and it consequently holds the BEK in plain text. Every subsequent read of that key thus send the plain text BEK instead of the encrypted BEK to userspace. This issue only occurs when importing a trusted DCP-based key and then exporting it again. This should rarely happen as the common use cases are to either create a new trusted key and export it, or import a key blob and then just use it without exporting it again. Fix this by performing BEK decryption and encryption in a dedicated buffer. Further always wipe the plain text BEK buffer to prevent leaking the key via uninitialized memory.
CVE-2023-35789 2 Rabbitmq-c Project, Redhat 2 Rabbitmq-c, Enterprise Linux 2024-12-17 5.5 Medium
An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.
CVE-2019-17082 1 Opentext 1 Accurev For Ldap Integration 2024-12-17 N/A
Insufficiently Protected Credentials vulnerability in OpenText™ AccuRev allows Authentication Bypass. When installed on a Linux or Solaris system the vulnerability could allow anyone who knows a valid AccuRev username can use the AccuRev client to login and gain access to AccuRev source control without knowing the user’s password. This issue affects AccuRev: 2017.1.
CVE-2023-41677 1 Fortinet 2 Fortios, Fortiproxy 2024-12-12 7.5 High
A insufficiently protected credentials in Fortinet FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17 allows attacker to execute unauthorized code or commands via targeted social engineering attack
CVE-2023-27975 1 Schneider-electric 2 Ecostruxure Control Expert, Ecostruxure Process Expert 2024-12-11 7.1 High
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.
CVE-2023-48010 2024-12-11 9.8 Critical
STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the SPC58 PowerPC microcontrollers may disable the System Memory Protection Unit and gain unabridged read/write access to protected assets.
CVE-2024-50699 2024-12-11 8 High
TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account.
CVE-2024-40583 2024-12-11 9.1 Critical
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials.
CVE-2024-46341 2024-12-11 8 High
TP-Link TL-WR845N(UN)_V4_190219 was discovered to transmit credentials in base64 encoded form, which can be easily decoded by an attacker executing a man-in-the-middle attack.
CVE-2023-42955 1 Claris 1 Filemaker Server 2024-12-10 4.9 Medium
Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket.
CVE-2024-53832 2024-12-10 4.6 Medium
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files.
CVE-2024-36460 1 Zabbix 1 Zabbix 2024-12-10 8.1 High
The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.
CVE-2024-9677 1 Zyxel 12 Uos, Usg Flex 100h, Usg Flex 100h Firmware and 9 more 2024-12-06 5.5 Medium
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
CVE-2024-51545 1 Abb 3 Aspect Enterprise, Matrix Series, Nexus Series 2024-12-05 10 Critical
Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list functions.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
CVE-2020-18406 1 Cmseasy 1 Cmseasy 2024-12-05 7.5 High
An issue was discovered in cmseasy v7.0.0 that allows user credentials to be sent in clear text due to no encryption of form data.