Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-522
Total 807 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-20597 1 Mitsubishielectric 16 R08psfcpu, R08psfcpu Firmware, R08sfcpu and 13 more 2022-10-14 6.4 MEDIUM 9.1 CRITICAL
Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety CPU modules R08/16/32/120SFCPU firmware versions "26" and prior and Mitsubishi Electric MELSEC iQ-R series SIL2 Process CPU modules R08/16/32/120PSFCPU all versions allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password.
CVE-2020-24396 1 Hom.ee 2 Brain Cube, Brain Cube Core 2022-10-05 5.0 MEDIUM 7.5 HIGH
homee Brain Cube v2 (2.28.2 and 2.28.4) devices have sensitive SSH keys within downloadable and unencrypted firmware images. This allows remote attackers to use the support server as a SOCKS proxy.
CVE-2020-12061 1 Nitrokey 2 Fido U2f, Fido U2f Firmware 2022-10-05 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in Nitrokey FIDO U2F firmware through 1.1. Communication between the microcontroller and the secure element transmits credentials in plain. This allows an adversary to eavesdrop the communication and derive the secrets stored in the microcontroller. As a result, the attacker is able to arbitrarily manipulate the firmware of the microcontroller.
CVE-2022-39168 1 Ibm 3 Robotic Process Automation, Robotic Process Automation For Cloud Pak, Robotic Process Automation For Services 2022-10-03 N/A 7.5 HIGH
IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs. IBM X-Force ID: 235422.
CVE-2022-37193 1 Chipolo 2 Chipolo, Chipolo One 2022-10-03 N/A 7.4 HIGH
Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials.
CVE-2022-39816 1 Nokia 1 1350 Optical Management System 2022-09-30 N/A 6.5 MEDIUM
In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (cleartext administrator password) occur in the edit configuration page. Exploitation requires an authenticated attacker.
CVE-2022-29089 1 Dell 1 Smartfabric Os10 2022-09-30 N/A 4.9 MEDIUM
Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST API with admin privileges.
CVE-2022-29457 1 Zohocorp 4 Manageengine Adaudit Plus, Manageengine Admanager Plus, Manageengine Adselfservice Plus and 1 more 2022-09-30 6.5 MEDIUM 8.8 HIGH
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
CVE-2021-34560 1 Pepperl-fuchs 4 Wha-gw-f2d2-0-as-z2-eth, Wha-gw-f2d2-0-as-z2-eth.eip, Wha-gw-f2d2-0-as-z2-eth.eip Firmware and 1 more 2022-09-29 2.1 LOW 5.5 MEDIUM
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. Therefore the user must have logged in at least once.
CVE-2020-8183 1 Nextcloud 1 Nextcloud Server 2022-09-27 5.0 MEDIUM 7.5 HIGH
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
CVE-2020-8259 1 Nextcloud 1 Nextcloud Server 2022-09-27 5.5 MEDIUM 8.1 HIGH
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
CVE-2020-8152 1 Nextcloud 1 Nextcloud Server 2022-09-27 2.1 LOW 4.4 MEDIUM
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
CVE-2022-41247 1 Jenkins 1 Bigpanda Notifier 2022-09-22 N/A 4.3 MEDIUM
Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
CVE-2022-36617 1 Haystacksoftware 1 Arq Backup 2022-09-14 N/A 4.9 MEDIUM
Arq Backup 7.19.5.0 and below stores backup encryption passwords using reversible encryption. This issue allows attackers with administrative privileges to recover cleartext passwords.
CVE-2021-20260 1 Theforeman 1 Foreman 2022-09-01 N/A 7.8 HIGH
A flaw was found in the Foreman project. The Datacenter plugin exposes the password through the API to an authenticated local attacker with view_hosts permission. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-23019 1 F5 1 Nginx Controller 2022-08-30 6.9 MEDIUM 7.8 HIGH
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
CVE-2022-34838 1 Abb 1 Zenon 2022-08-30 N/A 8.4 HIGH
Storing Passwords in a Recoverable Format vulnerability in ABB Zenon 8.20 allows an attacker who successfully exploit the vulnerability may add or alter data points and corresponding attributes. Once such engineering data is used the data visualization will be altered for the end user.
CVE-2021-23207 1 Fresenius-kabi 7 Agilia Connect, Agilia Partner Maintenance Software, Link\+ Agilia and 4 more 2022-08-30 2.1 LOW 5.5 MEDIUM
An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users.
CVE-2012-5627 2 Mariadb, Oracle 2 Mariadb, Mysql 2022-08-29 4.0 MEDIUM N/A
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
CVE-2018-1139 3 Canonical, Redhat, Samba 5 Ubuntu Linux, Enterprise Linux Desktop, Enterprise Linux Server and 2 more 2022-08-29 4.3 MEDIUM 8.1 HIGH
A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.