Total
381 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-41740 | 3 Ibm, Microsoft, Redhat | 4 Robotic Process Automation, Robotic Process Automation For Cloud Pak, Windows and 1 more | 2023-01-11 | N/A | 4.6 MEDIUM |
IBM Robotic Process Automation 20.12 through 21.0.6 could allow an attacker with physical access to the system to obtain highly sensitive information from system memory. IBM X-Force ID: 238053. | |||||
CVE-2021-30997 | 1 Apple | 2 Ipados, Iphone Os | 2023-01-09 | 5.0 MEDIUM | 7.5 HIGH |
A S/MIME issue existed in the handling of encrypted email. This issue was addressed by not automatically loading some MIME parts. This issue is fixed in iOS 15.2 and iPadOS 15.2. An attacker may be able to recover plaintext contents of an S/MIME-encrypted e-mail. | |||||
CVE-2022-37785 | 1 Wecube-platform Project | 1 Wecube-platform | 2023-01-09 | N/A | 7.5 HIGH |
An issue was discovered in WeCube Platform 3.2.2. Cleartext passwords are displayed in the configuration for terminal plugins. | |||||
CVE-2022-24120 | 1 Ge | 16 Inet 900, Inet 900 Firmware, Inet Ii 900 and 13 more | 2023-01-05 | N/A | 4.6 MEDIUM |
Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0. | |||||
CVE-2022-22457 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2022-12-28 | N/A | 4.4 MEDIUM |
IBM Security Verify Governance, Identity Manager 10.0.1 stores sensitive information including user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 225007. | |||||
CVE-2022-47512 | 2 Microsoft, Solarwinds | 2 Windows, Solarwinds Platform | 2022-12-27 | N/A | 5.5 MEDIUM |
Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected | |||||
CVE-2022-31697 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2022-12-15 | N/A | 5.5 MEDIUM |
The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation. | |||||
CVE-2022-4312 | 1 Arcinformatique | 1 Pcvue | 2022-12-15 | N/A | 5.5 MEDIUM |
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code. Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email account and SIM card. | |||||
CVE-2019-4314 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2022-12-12 | 5.0 MEDIUM | 7.5 HIGH |
IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores sensitive information in cleartext within a resource that might be accessible to another control sphere. IBM X-Force ID: 1610141. | |||||
CVE-2021-39077 | 1 Ibm | 1 Security Guardium | 2022-12-08 | N/A | 4.4 MEDIUM |
IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587. | |||||
CVE-2021-33716 | 1 Siemens | 4 Simatic Cp 1543-1, Simatic Cp 1543-1 Firmware, Simatic Cp 1545-1 and 1 more | 2022-12-08 | 3.3 LOW | 6.5 MEDIUM |
A vulnerability has been identified in SIMATIC CP 1543-1 (incl. SIPLUS variants) (All versions < V3.0), SIMATIC CP 1545-1 (All versions < V1.1). An attacker with access to the subnet of the affected device could retrieve sensitive information stored in cleartext. | |||||
CVE-2022-2513 | 1 Hitachienergy | 6 650connectivitypackage, 670connectivitypackage, Gms600connectivitypackage and 3 more | 2022-12-08 | N/A | 5.5 MEDIUM |
A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database. An attacker who manages to get access to the exported backup file can exploit the vulnerability and obtain credentials of the IEDs. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs. | |||||
CVE-2019-4566 | 1 Ibm | 1 Security Key Lifecycle Manager | 2022-12-07 | 2.1 LOW | 5.5 MEDIUM |
IBM Security Key Lifecycle Manager 3.0 and 3.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 166627. | |||||
CVE-2022-35120 | 1 Ixpdata | 1 Easyinstall | 2022-12-06 | N/A | 8.8 HIGH |
IXPdata EasyInstall 6.6.14725 contains an access control issue. | |||||
CVE-2022-41933 | 1 Xwiki | 1 Xwiki | 2022-12-02 | N/A | 6.5 MEDIUM |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the "Forgot your password" link in the login view: the features allowing a user to change their password, or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing to perform data leak of personal data from users, such as GHSA-599v-w48h-rjrm. Note that this vulnerability only concerns the users of the main wiki: in case of farms, the users registered on subwiki are not impacted thanks to a bug we discovered when investigating this. The problem has been patched in version 14.6RC1, 14.4.3 and 13.10.8. The patch involves a migration of the impacted users as well as the history of the page, to ensure no password remains in plain text in the database. This migration also involves to inform the users about the possible disclosure of their passwords: by default, two emails are automatically sent to the impacted users. A first email to inform about the possibility that their password have been leaked, and a second email using the reset password feature to ask them to set a new password. It's also possible for administrators to set some properties for the migration: it's possible to decide if the user password should be reset (default) or if the passwords should be kept but only hashed. Note that in the first option, the users won't be able to login anymore until they set a new password if they were impacted. Note that in both options, mails will be sent to users to inform them and encourage them to change their passwords. | |||||
CVE-2022-24188 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 7.5 HIGH |
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality. | |||||
CVE-2022-45868 | 1 H2database | 1 H2 | 2022-11-30 | N/A | 7.8 HIGH |
The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." | |||||
CVE-2022-25164 | 1 Mitsubishielectric | 2 Gx Works3, Mx Opc Ua Module Configurator-r | 2022-11-28 | N/A | 7.5 HIGH |
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 all versions and Mitsubishi Electric MX OPC UA Module Configurator-R all versions allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users can gain unauthorized access to the CPU module and the OPC UA server module. | |||||
CVE-2022-29826 | 1 Mitsubishielectric | 1 Gx Works3 | 2022-11-28 | N/A | 7.5 HIGH |
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions 1.086Q and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users may view or execute programs illegally. | |||||
CVE-2022-29832 | 1 Mitsubishielectric | 1 Gx Works3 | 2022-11-28 | N/A | 6.5 MEDIUM |
Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules. |