Filtered by CWE-916
Filtered by vendor Subscriptions
Total 91 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-18917 1 Mattermost 1 Mattermost Server 2024-11-21 7.5 High
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
CVE-2017-11131 1 Stashcat 1 Heinekingmedia 2024-11-21 N/A
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SHA-512 without a salt or another key-derivation mechanism to enable a secure secret for authentication. Moreover, only the first 32 bytes of the hash are used. This allows for easy dictionary and rainbow-table attacks if an attacker has access to the password hash.
CVE-2014-2560 1 Phoner 1 Phonerlite 2024-11-21 7.5 High
The PhonerLite phone before 2.15 provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.
CVE-2014-0083 2 Debian, Net-ldap Project 2 Debian Linux, Net-ldap 2024-11-21 5.5 Medium
The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords.
CVE-2010-2450 2 Debian, Shibboleth 2 Debian Linux, Service Provider 2024-11-21 7.5 High
The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.
CVE-2009-5139 1 Google 1 Gizmo5 2024-11-21 7.5 High
The SIP implementation on the Gizmo5 software phone provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.
CVE-2008-1526 1 Zyxel 38 P-660h-61, P-660h-61 Firmware, P-660h-63 and 35 more 2024-11-21 7.5 High
ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords.
CVE-2006-1058 3 Avaya, Busybox, Redhat 6 Aura Application Enablement Services, Aura Sip Enablement Services, Message Networking and 3 more 2024-11-21 5.5 Medium
BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
CVE-2005-0408 1 Citrusdb 1 Citrusdb 2024-11-21 9.8 Critical
CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.
CVE-2002-1657 1 Postgresql 1 Postgresql 2024-11-21 7.5 High
PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.
CVE-2001-0967 1 Arkeia 1 Arkeia 2024-11-21 9.8 Critical
Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing.