CVE & Exploit Intelligence Database

CVE-2023-50125 5.9 MEDIUM EPSS 0.00

A default engineer password set on the Hozard alarm system (Alarmsysteem) v1.0 allows an attacker to bring the alarm system to a disarmed state.

CWE-522 Jan 11, 2024

CVE-2023-29447 5.7 MEDIUM EPSS 0.00

An insufficiently protected credentials vulnerability in KEPServerEX could allow an adversary to capture user credentials as the web server uses basic authentication.

CWE-522 Jan 10, 2024

CVE-2023-6421 7.5 HIGH 1 PoC Analysis NUCLEI EPSS 0.81

The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.

CWE-522 Jan 01, 2024

CVE-2022-39820 6.5 MEDIUM EPSS 0.00

In Network Element Manager in NOKIA NFM-T R19.9, an Unprotected Storage of Credentials vulnerability occurs under /root/RestUploadManager.xml.DRC and /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml. A remote user, authenticated to the operating system, with access privileges to the directory /root or /DEPOT, is able to read cleartext credentials to access the web portal NFM-T and control all the PPS Network elements.

CWE-522 Dec 25, 2023

CVE-2023-47741 5.3 MEDIUM EPSS 0.00

IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.

CWE-522 Dec 18, 2023

CVE-2023-6791 4.9 MEDIUM EPSS 0.00

A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

CWE-522 Dec 13, 2023

CVE-2023-50770 6.7 MEDIUM EPSS 0.00

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

CWE-522 Dec 13, 2023

CVE-2023-47577 9.8 CRITICAL EPSS 0.00

An issue discovered in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 allows for unauthorized password changes due to no check for current password.

CWE-522 Dec 13, 2023

CVE-2018-16153 7.5 HIGH 1 Writeup EPSS 0.00

An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.

CWE-522 Dec 12, 2023

CVE-2023-47722 6.2 MEDIUM EPSS 0.00

IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in browser cache which can be read by a local user. IBM X-Force ID: 271912.

CWE-522 Dec 09, 2023

CVE-2023-32268 7.2 HIGH EPSS 0.00

Exposure of Proxy Administrator Credentials An authenticated administrator equivalent Filr user can access the credentials of proxy administrators.

CWE-522 Dec 06, 2023

CVE-2023-49280 7.7 HIGH 1 Writeup EPSS 0.01

XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.

CWE-522 Dec 04, 2023

CVE-2023-24047 6.8 MEDIUM EPSS 0.00

An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via use of weak hashing algorithm.

CWE-522 Dec 04, 2023

CVE-2023-44300 5.5 MEDIUM EPSS 0.00

Dell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in the appliance. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain service credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

CWE-522 Dec 04, 2023

CVE-2023-49653 6.5 MEDIUM EPSS 0.00

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CWE-522 Nov 29, 2023

CVE-2023-6254 8.1 HIGH EPSS 0.00

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37.

CWE-522 Nov 27, 2023

CVE-2023-44303 7.5 HIGH EPSS 0.00

RVTools, Version 3.9.2 and above, contain a sensitive data exposure vulnerability in the password encryption utility (RVToolsPasswordEncryption.exe) and main application (RVTools.exe). A remote unauthenticated attacker with access to stored encrypted passwords from a users' system could potentially exploit this vulnerability, leading to the disclosure of encrypted passwords in clear text. This vulnerability is caused by an incomplete fix for CVE-2020-27688.

CWE-310 Nov 24, 2023

CVE-2023-41676 4.3 MEDIUM EPSS 0.00

An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM version 7.0.0 and before 6.7.5 may allow an attacker with access to windows agent logs to obtain the windows agent password via searching through the logs.

CWE-522 Nov 14, 2023

CVE-2023-26221 5.0 MEDIUM EPSS 0.00

The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.

CWE-522 Nov 08, 2023

CVE-2023-38548 4.3 MEDIUM EPSS 0.01

A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

CWE-522 Nov 07, 2023