Total
1151 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12452 | 1 Traefik | 1 Traefik | 2024-11-21 | N/A |
| types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request. | ||||
| CVE-2019-12423 | 3 Apache, Oracle, Redhat | 14 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 11 more | 2024-11-21 | 7.5 High |
| Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all. | ||||
| CVE-2019-12171 | 1 Dropbox | 1 Dropbox | 2024-11-21 | N/A |
| Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process. | ||||
| CVE-2019-12046 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-11-21 | N/A |
| LemonLDAP::NG -2.0.3 has Incorrect Access Control. | ||||
| CVE-2019-11885 | 1 Eye-disk | 1 Eyedisk | 2024-11-21 | N/A |
| eyeDisk implements the unlock feature by sending a cleartext password. The password can be discovered by sniffing USB traffic or by sending a 06 05 52 41 01 b0 00 00 00 00 00 00 SCSI command. | ||||
| CVE-2019-11820 | 1 Synology | 1 Calendar | 2024-11-21 | 5.5 Medium |
| Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. | ||||
| CVE-2019-11769 | 1 Teamviewer | 1 Teamviewer | 2024-11-21 | 7.8 High |
| An issue was discovered in TeamViewer 14.2.2558. Updating the product as a non-administrative user requires entering administrative credentials into the GUI. Subsequently, these credentials are processed in Teamviewer.exe, which allows any application running in the same non-administrative user context to intercept them in cleartext within process memory. By using this technique, a local attacker is able to obtain administrative credentials in order to elevate privileges. This vulnerability can be exploited by injecting code into Teamviewer.exe which intercepts calls to GetWindowTextW and logs the processed credentials. | ||||
| CVE-2019-11686 | 1 Westerndigital | 118 Sandisk X300 Sd7sb6s-128g, Sandisk X300 Sd7sb6s-128g Firmware, Sandisk X300 Sd7sb6s-256g and 115 more | 2024-11-21 | 5.5 Medium |
| Western Digital SanDisk X300, X300s, X400, and X600 devices: A vulnerability in the wear-leveling algorithm of the drive may cause cryptographically sensitive parameters (such as data encryption keys) to remain on the drive media after their intended erasure. | ||||
| CVE-2019-11664 | 1 Microfocus | 1 Service Manager | 2024-11-21 | 6.5 Medium |
| Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure. | ||||
| CVE-2019-11663 | 1 Microfocus | 1 Service Manager | 2024-11-21 | 6.5 Medium |
| Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure. | ||||
| CVE-2019-11402 | 1 Gradle | 1 Enterprise | 2024-11-21 | 9.8 Critical |
| In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format. | ||||
| CVE-2019-11369 | 1 Carel | 2 Pcoweb Card, Pcoweb Card Firmware | 2024-11-21 | N/A |
| An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device. | ||||
| CVE-2019-11367 | 1 Auo | 1 Solar Data Recorder | 2024-11-21 | N/A |
| An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully. | ||||
| CVE-2019-11350 | 1 Cloudbees | 1 Jenkins Operations Center | 2024-11-21 | N/A |
| CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page. | ||||
| CVE-2019-11284 | 1 Pivotal | 1 Reactor Netty | 2024-11-21 | 8.6 High |
| Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to. | ||||
| CVE-2019-11272 | 3 Debian, Redhat, Vmware | 3 Debian Linux, Jboss Fuse, Spring Security | 2024-11-21 | 7.3 High |
| Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | ||||
| CVE-2019-11271 | 1 Cloud Foundry | 1 Bosh | 2024-11-21 | 7.8 High |
| Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest. | ||||
| CVE-2019-11092 | 1 Intel | 2 Open Cloud Integrity Tehnology, Openattestation | 2024-11-21 | 4.4 Medium |
| Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2019-10981 | 1 Schneider-electric | 2 Citectscada, Scada Expert Vijeo Citect | 2024-11-21 | 7.8 High |
| In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials. | ||||
| CVE-2019-10960 | 1 Zebra | 16 220xi4, 220xi4 Firmware, Zt220 and 13 more | 2024-11-21 | 7.5 High |
| Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel. | ||||