Filtered by CWE-916
Filtered by vendor Subscriptions
Total 91 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-47557 1 Ormazabal 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more 2024-11-21 6.1 Medium
Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.
CVE-2022-40295 1 Phppointofsale 1 Php Point Of Sale 2024-11-21 4.9 Medium
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks.
CVE-2022-40258 1 Ami 2 Megarac Spx-12, Megarac Spx-13 2024-11-21 5.3 Medium
AMI Megarac Weak password hashes for Redfish & API
CVE-2022-3010 1 Priva 1 Top Control Suite 2024-11-21 7.5 High
The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite.
CVE-2022-37164 1 Ontrack Project 1 Ontrack 2024-11-21 9.8 Critical
Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
CVE-2022-37163 1 Ihatetobudget Project 1 Ihatetobudget 2024-11-21 9.8 Critical
Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
CVE-2022-36071 1 Sftpgo Project 1 Sftpgo 2024-11-21 8.3 High
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.
CVE-2022-29731 1 Ict 4 Protege Gx, Protege Gx Firmware, Protege Wx and 1 more 2024-11-21 4.3 Medium
An access control issue in ICT Protege GX/WX 2.08 allows attackers to leak SHA1 password hashes of other users.
CVE-2022-26115 1 Fortinet 1 Fortisandbox 2024-11-21 5.4 Medium
A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords.
CVE-2022-24041 1 Siemens 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more 2024-11-21 6.5 Medium
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.
CVE-2022-23348 1 Bigantsoft 1 Bigant Server 2024-11-21 5.3 Medium
BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes.
CVE-2022-1235 1 Livehelperchat 1 Live Helper Chat 2024-11-21 8.2 High
Weak secrethash can be brute-forced in GitHub repository livehelperchat/livehelperchat prior to 3.96.
CVE-2022-0022 1 Paloaltonetworks 1 Pan-os 2024-11-21 4.1 Medium
Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7.
CVE-2021-43989 1 Myscada 1 Mypro 2024-11-21 7.5 High
mySCADA myPRO Versions 8.20.0 and prior stores passwords using MD5, which may allow an attacker to crack the previously retrieved password hashes.
CVE-2021-39182 1 Enrocrypt Project 1 Enrocrypt 2024-11-21 7.5 High
EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is patched in v1.1.4 of the product. As a workaround, users can remove the `MD5` hashing function from the file `hashing.py`.
CVE-2021-38979 3 Ibm, Linux, Microsoft 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more 2024-11-21 7.5 High
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. IBM X-Force ID: 212785.
CVE-2021-38400 1 Bostonscientific 2 Zoom Latitude Pogrammer\/recorder\/monitor 3120, Zoom Latitude Pogrammer\/recorder\/monitor 3120 Firmware 2024-11-21 6.9 Medium
An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.
CVE-2021-38314 1 Redux 1 Gutenberg Template Library \& Redux Framework 2024-11-21 5.3 Medium
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
CVE-2021-37551 1 Jetbrains 1 Youtrack 2024-11-21 5.3 Medium
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
CVE-2021-36767 1 Digi 37 6350-sr, 6350-sr Firmware, Cm and 34 more 2024-11-21 9.8 Critical
In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.