Total
807 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15341 | 1 Zyxel | 1 Cloudcnm Secumanager | 2022-10-27 | N/A | 7.5 HIGH |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated update_all_realm_license API. | |||||
CVE-2022-28774 | 1 Sap | 1 Host Agent | 2022-10-26 | 1.9 LOW | 5.5 MEDIUM |
Under certain conditions, the SAP Host Agent logfile shows information which would otherwise be restricted. | |||||
CVE-2020-21994 | 1 Ave | 13 53ab-wbs, 53ab-wbs Firmware, Dominaplus and 10 more | 2022-10-26 | 7.5 HIGH | 9.8 CRITICAL |
AVE DOMINAplus <=1.10.x suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/authClients.xml' and obtain administrative login information that allows for a successful authentication bypass attack. | |||||
CVE-2021-30169 | 1 Meritlilin | 82 P2g1022, P2g1022 Firmware, P2g1022x and 79 more | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant user’s credential. | |||||
CVE-2021-30168 | 1 Meritlilin | 82 P2g1022, P2g1022 Firmware, P2g1022x and 79 more | 2022-10-25 | 7.5 HIGH | 9.8 CRITICAL |
The sensitive information of webcam device is not properly protected. Remote attackers can unauthentically grant administrator’s credential and further control the devices. | |||||
CVE-2021-32770 | 1 Gatsbyjs | 1 Gatsby-source-wordpress | 2022-10-25 | 5.0 MEDIUM | 7.5 HIGH |
Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`. One may manually edit the app.js file post-build as a workaround. | |||||
CVE-2021-36309 | 1 Dell | 1 Enterprise Sonic Os | 2022-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability. An authenticated malicious user with access to the system may use the TACACS\Radius credentials stored to read sensitive information and use it in further attacks. | |||||
CVE-2021-21591 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Xt Operating Environment, Emc Unityvsa Operating Environment | 2022-10-24 | 4.6 MEDIUM | 6.7 MEDIUM |
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user. | |||||
CVE-2021-21590 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Xt Operating Environment, Emc Unityvsa Operating Environment | 2022-10-24 | 4.6 MEDIUM | 6.7 MEDIUM |
Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.1.0.0.5.394 contain a plain-text password storage vulnerability. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user. | |||||
CVE-2022-41575 | 1 Gradle | 1 Enterprise | 2022-10-24 | N/A | 7.5 HIGH |
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | |||||
CVE-2020-27831 | 1 Redhat | 1 Quay | 2022-10-21 | 4.0 MEDIUM | 4.3 MEDIUM |
A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications. | |||||
CVE-2021-1589 | 1 Cisco | 1 Sd-wan | 2022-10-21 | 3.5 LOW | 6.5 MEDIUM |
A vulnerability in the disaster recovery feature of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain unauthorized access to user credentials. This vulnerability exists because access to API endpoints is not properly restricted. An attacker could exploit this vulnerability by sending a request to an API endpoint. A successful exploit could allow the attacker to gain unauthorized access to administrative credentials that could be used in further attacks. | |||||
CVE-2020-25184 | 3 Rockwellautomation, Schneider-electric, Xylem | 31 Aadvance Controller, Isagraf Free Runtime, Isagraf Runtime and 28 more | 2022-10-21 | 2.1 LOW | 5.5 MEDIUM |
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure. | |||||
CVE-2022-22251 | 1 Juniper | 2 Csrx, Junos | 2022-10-21 | N/A | 7.8 HIGH |
On cSRX Series devices software permission issues in the container filesystem and stored files combined with storing passwords in a recoverable format in Juniper Networks Junos OS allows a local, low-privileged attacker to elevate their permissions to take control of any instance of a cSRX software deployment. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. | |||||
CVE-2022-43419 | 1 Jenkins | 1 Katalon | 2022-10-20 | N/A | 6.5 MEDIUM |
Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
CVE-2022-29587 | 1 Konicaminolta | 90 Bizhub 226i, Bizhub 226i Firmware, Bizhub 227 and 87 more | 2022-10-19 | 4.7 MEDIUM | 4.0 MEDIUM |
Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges. | |||||
CVE-2019-14840 | 1 Redhat | 1 Decision Manager | 2022-10-19 | N/A | 7.5 HIGH |
A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials. | |||||
CVE-2022-28291 | 1 Tenable | 1 Nessus | 2022-10-19 | N/A | 6.5 MEDIUM |
Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets. | |||||
CVE-2022-27206 | 1 Jenkins | 1 Gitlab Authentication | 2022-10-17 | 4.0 MEDIUM | 6.5 MEDIUM |
Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
CVE-2022-31130 | 1 Grafana | 1 Grafana | 2022-10-17 | N/A | 7.5 HIGH |
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication. |