CVE & Exploit Intelligence Database

CVE-2023-2633 4.3 MEDIUM EPSS 0.00

Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CWE-522 May 16, 2023

CVE-2023-2632 4.3 MEDIUM EPSS 0.00

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CWE-522 May 16, 2023

CVE-2023-33000 7.5 HIGH EPSS 0.00

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CWE-522 May 16, 2023

CVE-2023-32988 4.3 MEDIUM EPSS 0.00

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CWE-522 May 16, 2023

CVE-2022-47880 5.3 MEDIUM 1 PoC Analysis EPSS 0.01

An Information disclosure vulnerability in /be/rpc.php in Jedox GmbH Jedox 2020.2.5 allow remote, authenticated users with permissions to modify database connections to disclose a connections' cleartext password via the 'test connection' function.

CWE-522 May 12, 2023

CVE-2022-40685 6.5 MEDIUM EPSS 0.00

Insufficiently protected credentials in the Intel(R) DCM software before version 5.0.1 may allow an authenticated user to potentially enable information disclosure via network access.

CWE-522 May 10, 2023

CVE-2023-20046 8.8 HIGH EPSS 0.01

A vulnerability in the key-based SSH authentication feature of Cisco StarOS Software could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied credentials. An attacker could exploit this vulnerability by sending a valid low-privileged SSH key to an affected device from a host that has an IP address that is configured as the source for a high-privileged user account. A successful exploit could allow the attacker to log in to the affected device through SSH as a high-privileged user. There are workarounds that address this vulnerability.

CWE-522 May 09, 2023

CVE-2023-31136 3.7 LOW 1 Writeup EPSS 0.00

PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.

CWE-522 May 09, 2023

CVE-2023-28764 3.7 LOW EPSS 0.00

SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.

CWE-522 May 09, 2023

CVE-2023-24506 7.5 HIGH EPSS 0.00

Milesight NCR/camera version 71.8.0.6-r5 exposes credentials through an unspecified request.

CWE-522 May 08, 2023

CVE-2022-45859 4.1 MEDIUM EPSS 0.00

An insufficiently protected credentials vulnerability [CWE-522] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions, 8.7.0 all versions may allow a local attacker with system access to retrieve users' passwords.

CWE-522 May 03, 2023

CVE-2023-25495 4.9 MEDIUM EPSS 0.00

A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured

CWE-522 Apr 28, 2023

CVE-2023-2335 6.5 MEDIUM EPSS 0.00

Plaintext Password in Registry vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve Admin user credentials This issue affects surelock windows: from 2.3.12 through 2.40.0.

CWE-522 Apr 27, 2023

CVE-2023-1778 10.0 CRITICAL EPSS 0.00

This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems. The vulnerability has been addressed by forcing the user to change their default password to a new non-default password.

CWE-522 Apr 27, 2023

CVE-2023-30846 9.1 CRITICAL 1 Writeup EPSS 0.03

typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.

CWE-522 Apr 26, 2023

CVE-2023-26567 8.1 HIGH EPSS 0.00

Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.

CWE-522 Apr 26, 2023

CVE-2023-28084 5.5 MEDIUM EPSS 0.00

HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens

CWE-522 Apr 25, 2023

CVE-2023-28090 5.5 MEDIUM EPSS 0.00

An HPE OneView appliance dump may expose SNMPv3 read credentials

CWE-522 Apr 25, 2023

CVE-2023-28089 7.1 HIGH EPSS 0.00

An HPE OneView appliance dump may expose FTP credentials for c7000 Interconnect Modules

CWE-522 Apr 25, 2023

CVE-2023-28088 7.8 HIGH EPSS 0.00

An HPE OneView appliance dump may expose SAN switch administrative credentials

CWE-522 Apr 25, 2023