Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-522
Total 807 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-11402 1 Gradle 1 Enterprise 2023-01-20 5.0 MEDIUM 9.8 CRITICAL
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
CVE-2021-36783 1 Suse 1 Rancher 2023-01-18 N/A 8.8 HIGH
A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE Rancher Rancher versions prior to 2.6.4; Rancher versions prior to 2.5.13.
CVE-2016-15014 1 Cesnet 1 Theme-cesnet 2023-01-12 N/A 5.5 MEDIUM
A vulnerability has been found in CESNET theme-cesnet up to 1.x and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability.
CVE-2022-2967 1 Prosysopc 2 Ua Modbus Server, Ua Simulation Server 2023-01-10 N/A 7.5 HIGH
Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data.
CVE-2021-22923 5 Fedoraproject, Haxx, Netapp and 2 more 22 Fedora, Curl, Cloud Backup and 19 more 2023-01-05 2.6 LOW 5.3 MEDIUM
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2022-27776 5 Brocade, Debian, Fedoraproject and 2 more 17 Fabric Operating System, Debian Linux, Fedora and 14 more 2023-01-05 4.3 MEDIUM 6.5 MEDIUM
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
CVE-2022-45423 1 Dahuasecurity 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more 2023-01-04 N/A 7.5 HIGH
Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specific crafted packet to the vulnerable interface (the credentials cannot be directly exploited).
CVE-2022-45424 1 Dahuasecurity 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more 2023-01-04 N/A 5.3 MEDIUM
Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specific crafted packet to the vulnerable interface.
CVE-2022-22458 2 Ibm, Linux 2 Security Verify Governance, Linux Kernel 2022-12-28 N/A 6.5 MEDIUM
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.
CVE-2022-4612 1 Clickstudios 1 Passwordstate 2022-12-23 N/A 6.5 MEDIUM
A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as problematic. This vulnerability affects unknown code. The manipulation leads to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216274 is the identifier assigned to this vulnerability.
CVE-2022-42445 1 Hcltechsw 1 Hcl Launch 2022-12-14 N/A 4.9 MEDIUM
HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches.
CVE-2022-29839 2 Linux, Westerndigital 12 Linux Kernel, My Cloud, My Cloud Dl2100 and 9 more 2022-12-12 N/A 5.5 MEDIUM
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
CVE-2022-30944 1 Intel 2 Active Management Technology, Standard Manageability 2022-12-09 N/A 5.5 MEDIUM
Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.
CVE-2022-30601 1 Intel 2 Active Management Technology, Standard Manageability 2022-12-09 N/A 9.8 CRITICAL
Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access.
CVE-2021-43332 2 Debian, Gnu 2 Debian Linux, Mailman 2022-12-09 4.0 MEDIUM 6.5 MEDIUM
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
CVE-2017-12123 1 Moxa 2 Edr-810, Edr-810 Firmware 2022-12-08 3.3 LOW 8.8 HIGH
An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as admin.
CVE-2017-12127 1 Moxa 2 Edr-810, Edr-810 Firmware 2022-12-08 2.1 LOW 4.4 MEDIUM
A password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device.
CVE-2020-10710 1 Theforeman 1 Foreman 2022-12-07 N/A 4.4 MEDIUM
A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.
CVE-2022-43442 1 Fsi 2 Fs040u, Fs040u Firmware 2022-12-06 N/A 4.6 MEDIUM
Plaintext storage of a password vulnerability exists in +F FS040U software versions v2.3.4 and earlier, which may allow an attacker to obtain the login password of +F FS040U and log in to the management console.
CVE-2022-46155 1 Airtable 1 Airtable 2022-12-02 N/A 6.4 MEDIUM
Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code.