Filtered by vendor
Subscriptions
Total
1126 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-9250 | 2024-12-20 | 3.3 Low | ||
There is an insufficient authentication vulnerability in some Huawei smart phone. An unauthenticated, local attacker can crafts software package to exploit this vulnerability. Due to insufficient verification, successful exploitation may impact the service. (Vulnerability ID: HWPSIRT-2019-12302) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9250. | ||||
CVE-2024-56354 | 2024-12-20 | 5.5 Medium | ||
In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission | ||||
CVE-2022-33954 | 1 Ibm | 1 Robotic Process Automation | 2024-12-19 | 4.6 Medium |
IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected credentials. | ||||
CVE-2023-37400 | 1 Ibm | 1 Aspera Faspex | 2024-12-19 | 7.8 High |
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to escalate their privileges due to insecure credential storage. IBM X-Force ID: 259677. | ||||
CVE-2024-54471 | 1 Apple | 1 Macos | 2024-12-19 | 5.5 Medium |
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials. | ||||
CVE-2024-45004 | 1 Linux | 1 Linux Kernel | 2024-12-19 | 5.5 Medium |
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload in the blob field so that every subsequent read (export) will simply convert this field to hex and send it to userspace. With DCP-based trusted keys, we decrypt the blob encryption key (BEK) in the Kernel due hardware limitations and then decrypt the blob payload. BEK decryption is done in-place which means that the trusted key blob field is modified and it consequently holds the BEK in plain text. Every subsequent read of that key thus send the plain text BEK instead of the encrypted BEK to userspace. This issue only occurs when importing a trusted DCP-based key and then exporting it again. This should rarely happen as the common use cases are to either create a new trusted key and export it, or import a key blob and then just use it without exporting it again. Fix this by performing BEK decryption and encryption in a dedicated buffer. Further always wipe the plain text BEK buffer to prevent leaking the key via uninitialized memory. | ||||
CVE-2023-35789 | 2 Rabbitmq-c Project, Redhat | 2 Rabbitmq-c, Enterprise Linux | 2024-12-17 | 5.5 Medium |
An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments. | ||||
CVE-2019-17082 | 1 Opentext | 1 Accurev For Ldap Integration | 2024-12-17 | N/A |
Insufficiently Protected Credentials vulnerability in OpenText™ AccuRev allows Authentication Bypass. When installed on a Linux or Solaris system the vulnerability could allow anyone who knows a valid AccuRev username can use the AccuRev client to login and gain access to AccuRev source control without knowing the user’s password. This issue affects AccuRev: 2017.1. | ||||
CVE-2023-41677 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-12-12 | 7.5 High |
A insufficiently protected credentials in Fortinet FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17 allows attacker to execute unauthorized code or commands via targeted social engineering attack | ||||
CVE-2023-27975 | 1 Schneider-electric | 2 Ecostruxure Control Expert, Ecostruxure Process Expert | 2024-12-11 | 7.1 High |
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation. | ||||
CVE-2023-48010 | 2024-12-11 | 9.8 Critical | ||
STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the SPC58 PowerPC microcontrollers may disable the System Memory Protection Unit and gain unabridged read/write access to protected assets. | ||||
CVE-2024-50699 | 2024-12-11 | 8 High | ||
TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account. | ||||
CVE-2024-40583 | 2024-12-11 | 9.1 Critical | ||
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials. | ||||
CVE-2024-46341 | 2024-12-11 | 8 High | ||
TP-Link TL-WR845N(UN)_V4_190219 was discovered to transmit credentials in base64 encoded form, which can be easily decoded by an attacker executing a man-in-the-middle attack. | ||||
CVE-2023-42955 | 1 Claris | 1 Filemaker Server | 2024-12-10 | 4.9 Medium |
Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket. | ||||
CVE-2024-53832 | 2024-12-10 | 4.6 Medium | ||
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V05.30). The affected devices contain a secure element which is connected via an unencrypted SPI bus. This could allow an attacker with physical access to the SPI bus to observe the password used for the secure element authentication, and then use the secure element as an oracle to decrypt all encrypted update files. | ||||
CVE-2024-36460 | 1 Zabbix | 1 Zabbix | 2024-12-10 | 8.1 High |
The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text. | ||||
CVE-2024-9677 | 1 Zyxel | 12 Uos, Usg Flex 100h, Usg Flex 100h Firmware and 9 more | 2024-12-06 | 5.5 Medium |
The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. | ||||
CVE-2024-51545 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2024-12-05 | 10 Critical |
Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list functions. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | ||||
CVE-2020-18406 | 1 Cmseasy | 1 Cmseasy | 2024-12-05 | 7.5 High |
An issue was discovered in cmseasy v7.0.0 that allows user credentials to be sent in clear text due to no encryption of form data. |