Filtered by CWE-522
Filtered by vendor Subscriptions
Total 1126 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2014-0184 1 Redhat 2 Cloudforms 3.0 Management Engine, Cloudforms Managementengine 2024-11-21 N/A
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file.
CVE-2014-0154 2 Ovirt, Redhat 2 Ovirt, Rhev Manager 2024-11-21 N/A
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2014-0153 2 Ovirt, Redhat 2 Ovirt, Rhev Manager 2024-11-21 N/A
The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.
CVE-2014-0085 1 Redhat 3 Jboss A-mq, Jboss Amq, Jboss Fuse 2024-11-21 N/A
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
CVE-2014-0040 1 Redhat 1 Openstack 2024-11-21 N/A
OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download (1) packages and (2) signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors.
CVE-2014-0035 2 Apache, Redhat 7 Cxf, Jboss Amq, Jboss Bpms and 4 more 2024-11-21 N/A
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2013-7055 1 Dlink 2 Dir-100, Dir-100 Firmware 2024-11-21 9.8 Critical
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
CVE-2013-7052 1 Dlink 2 Dir-100, Dir-100 Firmware 2024-11-21 9.8 Critical
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
CVE-2013-6372 2 Jenkins-ci, Redhat 2 Subversion-plugin, Openshift 2024-11-21 N/A
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
CVE-2013-5113 1 Logmein 1 Lastpass 2024-11-21 6.8 Medium
LastPass prior to 2.5.1 has an insecure PIN implementation.
CVE-2013-4869 1 Cisco 1 Unified Communications Manager 2024-11-21 N/A
Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across different customers' installations, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key, aka Bug IDs CSCsc69187 and CSCui01756. NOTE: the vendor has provided a statement that the "hard-coded static encryption key is considered a hardening issue rather than a vulnerability, and as such, has a CVSS score of 0/0."
CVE-2013-4423 1 Redhat 2 Cloudforms, Cloudforms Managementengine 2024-11-21 5.5 Medium
CloudForms stores user passwords in recoverable format
CVE-2013-4222 4 Canonical, Fedoraproject, Openstack and 1 more 4 Ubuntu Linux, Fedora, Keystone and 1 more 2024-11-21 N/A
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
CVE-2013-3620 2 Citrix, Supermicro 10 Netscaler, Netscaler Firmware, Netscaler Sd-wan and 7 more 2024-11-21 7.5 High
Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312.
CVE-2013-3313 1 Loftek 2 Nexus 543, Nexus 543 Firmware 2024-11-21 7.5 High
The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-3311.
CVE-2013-2672 1 Brother 2 Mfc-9970cdw, Mfc-9970cdw Firmware 2024-11-21 7.5 High
Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords.
CVE-2013-2106 2 Debian, Stanford 2 Debian Linux, Webauth 2024-11-21 7.5 High
webauth before 4.6.1 has authentication credential disclosure
CVE-2012-6663 1 Ge 4 D200, D200 Firmware, D20me and 1 more 2024-11-21 7.5 High
General Electric D20ME devices are not properly configured and reveal plaintext passwords.
CVE-2012-5627 2 Mariadb, Oracle 2 Mariadb, Mysql 2024-11-21 N/A
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
CVE-2012-5527 1 Claws-mail 1 Vcalendar 2024-11-21 5.5 Medium
Claws Mail vCalendar plugin: credentials exposed on interface