Total
381 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31581 | 1 Akkadianlabs | 2 Ova Appliance, Provisioning Manager | 2021-08-03 | 2.1 LOW | 4.4 MEDIUM |
| The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later). | |||||
| CVE-2020-12731 | 1 Magicsmotion | 2 Flamingo 2, Flamingo 2 Firmware | 2021-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| The MagicMotion Flamingo 2 application for Android stores data on an sdcard under com.vt.magicmotion/files/Pictures, whence it can be read by other applications. | |||||
| CVE-2020-22741 | 1 Baidu | 1 Xuperchain | 2021-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature. | |||||
| CVE-2020-4095 | 1 Hcltech | 1 Bigfix Platform | 2021-07-21 | 2.1 LOW | 6.0 MEDIUM |
| "BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." | |||||
| CVE-2019-9104 | 1 Moxa | 12 Mb3170, Mb3170 Firmware, Mb3180 and 9 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. The application's configuration file contains parameters that represent passwords in cleartext. | |||||
| CVE-2020-11826 | 1 Appinghouse | 1 Memono | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Users can lock their notes with a password in Memono version 3.8. Thus, users needs to know a password to read notes. However, these notes are stored in a database without encryption and an attacker can read the password-protected notes without having the password. Notes are stored in the ZENTITY table in the memono.sqlite database. | |||||
| CVE-2020-26816 | 1 Sap | 1 Netweaver Application Server Java | 2021-07-21 | 2.7 LOW | 4.5 MEDIUM |
| SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems. | |||||
| CVE-2020-27986 | 1 Sonarsource | 1 Sonarqube | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it." | |||||
| CVE-2020-35658 | 1 Titanhq | 1 Spamtitan | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted. | |||||
| CVE-2020-3921 | 1 Unisoon | 2 Ultralog Express, Ultralog Express Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page. | |||||
| CVE-2020-4224 | 1 Ibm | 1 Storediq | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive information to a local user due to data in certain directories not being encrypted when it contained symbolic links. IBM X-Force ID: 175133. | |||||
| CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | |||||
| CVE-2020-9407 | 1 Iblsoft | 1 Online Weather | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie. | |||||
| CVE-2019-18868 | 1 Blaauwproducts | 1 Remote Kiln Control | 2021-07-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Blaauw Remote Kiln Control through v3.00r4 allows an unauthenticated attacker to access MySQL credentials in cleartext in /engine/db.inc, /lang/nl.bak, or /lang/en.bak. | |||||
| CVE-2019-18630 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure. | |||||
| CVE-2019-18615 | 1 Arista | 1 Cloudvision Portal | 2021-07-21 | 3.5 LOW | 4.9 MEDIUM |
| In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application. | |||||
| CVE-2019-16062 | 1 Netsas | 1 Enigma Network Management Solution | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. It is possible for an attacker to expose unencrypted sensitive data. | |||||
| CVE-2019-13021 | 1 Jetstream | 1 Jetselect | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The administrative passwords for all versions of Bond JetSelect are stored within an unprotected file on the filesystem, rather than encrypted within the MySQL database. This backup copy of the passwords is made as part of the installation script, after the administrator has generated a password using ENCtool.jar (see CVE-2019-13022). This allows any low-privilege user who can read this file to trivially obtain the passwords for the administrative accounts of the JetSelect application. The path to the file containing the encoded password hash is /opt/JetSelect/SFC/resources/sfc-general-properties. | |||||
| CVE-2019-12171 | 1 Dropbox | 1 Dropbox | 2021-07-21 | 4.3 MEDIUM | 7.8 HIGH |
| Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process. | |||||
| CVE-2019-10682 | 1 Django-nopassword Project | 1 Django-nopassword | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| django-nopassword before 5.0.0 stores cleartext secrets in the database. | |||||