Search Results (4595 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-43013 1 Jetbrains 1 Toolbox 2025-04-23 6.9 Medium
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
CVE-2022-46685 1 Gitea 1 Gitea 2025-04-23 4.3 Medium
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
CVE-2024-41290 1 Flatpress 1 Flatpress 2025-04-23 8.1 High
FlatPress CMS v1.3.1 1.3 was discovered to use insecure methods to store authentication data via the cookie's component.
CVE-2022-40939 1 Secu 2 Secustation, Secustation Firmware 2025-04-22 4.9 Medium
In certain Secustation products the administrator account password can be read. This affects V2.5.5.3116-S50-SMA-B20171107A, V2.3.4.1301-M20-TSA-B20150617A, V2.5.5.3116-S50-RXA-B20180502A, V2.5.5.3116-S50-SMA-B20190723A, V2.5.5.3116-S50-SMB-B20161012A, V2.3.4.2103-S50-NTD-B20170508B, V2.5.5.3116-S50-SMB-B20160601A, V2.5.5.2601-S50-TSA-B20151229A, and V2.5.5.3116-S50-SMA-B20170217.
CVE-2022-31004 1 Mitre 1 Cve-services 2025-04-22 7.5 High
CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch.
CVE-2022-39364 1 Nextcloud 2 Nextcloud Enterprise Server, Nextcloud Server 2025-04-22 4 Medium
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.
CVE-2022-43724 1 Siemens 1 Sicam Pas\/pqs 2025-04-22 9.8 Critical
A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.
CVE-2022-31697 1 Vmware 2 Cloud Foundation, Vcenter Server 2025-04-22 5.5 Medium
The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.
CVE-2020-9420 1 Arcadyan 2 Vrv9506jac23, Vrv9506jac23 Firmware 2025-04-22 6.5 Medium
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.
CVE-2022-43958 1 Siemens 1 Qms Automotive 2025-04-21 7.6 High
A vulnerability has been identified in QMS Automotive (All versions < V12.39), QMS Automotive (All versions < V12.39). User credentials are stored in plaintext in the database without any hashing mechanism. This could allow an attacker to gain access to credentials and impersonate other users.
CVE-2015-7256 1 Zyxel 50 C1000z, C1000z Firmware, Fr1000z and 47 more 2025-04-20 N/A
ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys.
CVE-2016-7585 1 Apple 1 Mac Os X 2025-04-20 N/A
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves mishandling of DMA in the "EFI" component. It allows physically proximate attackers to discover the FileVault 2 encryption password via a crafted Thunderbolt adapter.
CVE-2017-14486 1 Vibease 2 Chat, Wireless Remote Vibrator 2025-04-20 N/A
The Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app for iOS use cleartext to exchange messages with other apps and the PLAIN SASL mechanism to send auth tokens to Vibease servers, which allows remote attackers to obtain user credentials, messages, and other sensitive information by sniffing the network for XMPP traffic.
CVE-2017-5259 1 Cambiumnetworks 10 Cnpilot E400, Cnpilot E400 Firmware, Cnpilot E410 and 7 more 2025-04-20 N/A
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp.
CVE-2017-12817 1 Kaspersky 1 Internet Security 2025-04-20 7.5 High
In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted.
CVE-2015-4056 1 Dell 1 Vce Vision Intelligent Operations 2025-04-20 6.7 Medium
The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cryptography, which makes it easier for local users to discover credentials by leveraging administrative access.
CVE-2017-3218 1 Samsung 1 Magician 2025-04-20 N/A
Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates.
CVE-2017-5652 1 Apache 1 Impala 2025-04-20 N/A
During a routine security analysis, it was found that one of the ports in Apache Impala (incubating) 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift transport when TLS was turned on. It was therefore possible for an adversary, with access to the network, to eavesdrop on the packets going to and coming from that port and view the data in plaintext.
CVE-2017-14953 1 Hikvision 2 Ds-2cd2432f-iw, Ds-2cd2432f-iw Firmware 2025-04-20 N/A
HikVision Wi-Fi IP cameras, when used in a wired configuration, allow physically proximate attackers to trigger association with an arbitrary access point by leveraging a default SSID with no WiFi encryption or authentication. NOTE: Vendor states that this is not a vulnerability, but more an increase to the attack surface of the product
CVE-2017-2723 1 Huawei 1 Files 2025-04-20 N/A
The Files APP 7.1.1.308 and earlier versions in some Huawei mobile phones has a vulnerability of plaintext storage of users' Safe passwords. An attacker with the root privilege of an Android system could forge the Safe to read users' plaintext Safe passwords, leading to information leak.