CVE & Exploit Intelligence Database

CVE-2023-23466 6.5 MEDIUM EPSS 0.00

Media CP Media Control Panel latest version. Insufficiently protected credential change.

CWE-522 Feb 15, 2023

CVE-2023-23463 5.3 MEDIUM EPSS 0.00

Sunell DVR, latest version, Insufficiently Protected Credentials (CWE-522) may be exposed through an unspecified request.

CWE-522 Feb 15, 2023

CVE-2023-25191 7.5 HIGH EPSS 0.00

AMI MegaRAC SPX devices allow Password Disclosure through Redfish. The fixed versions are SPx_12-update-7.00 and SPx_13-update-5.00.

CWE-522 Feb 15, 2023

CVE-2022-41564 6.8 MEDIUM EPSS 0.00

The Hawk Console component of TIBCO Software Inc.'s TIBCO Hawk and TIBCO Operational Intelligence Hawk RedTail contains a vulnerability that will return the EMS transport password and EMS SSL password to a privileged user. Affected releases are TIBCO Software Inc.'s TIBCO Hawk: versions 6.1.0 through 6.2.1 and TIBCO Operational Intelligence Hawk RedTail: versions 7.0.0 through 7.2.0.

CWE-522 Feb 14, 2023

CVE-2023-24619 5.5 MEDIUM EPSS 0.00

Redpanda before 22.3.12 discloses cleartext AWS credentials. The import functionality in the rpk binary logs an AWS Access Key ID and Secret in cleartext to standard output, allowing a local user to view the key in the console, or in Kubernetes logs if stdout output is collected. The fixed versions are 22.3.12, 22.2.10, and 22.1.12.

CWE-522 Feb 13, 2023

CVE-2022-43460 7.5 HIGH EPSS 0.00

Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted.

CWE-522 Feb 13, 2023

CVE-2022-34445 6.0 MEDIUM EPSS 0.00

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

CWE-261 Feb 11, 2023

CVE-2022-32520 8.0 HIGH EPSS 0.00

A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products: Data Center Expert (Versions prior to V7.9.0)

CWE-522 Jan 30, 2023

CVE-2022-32519 8.0 HIGH EPSS 0.00

A CWE-257: Storing Passwords in a Recoverable Format vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. Affected Products: Data Center Expert (Versions prior to V7.9.0)

CWE-522 Jan 30, 2023

CVE-2022-32518 8.0 HIGH EPSS 0.00

A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32520. Affected Products: Data Center Expert (Versions prior to V7.9.0)

CWE-522 Jan 30, 2023

CVE-2022-46967 9.8 CRITICAL EPSS 0.01

An access control issue in Revenue Collection System v1.0 allows unauthenticated attackers to view the contents of /admin/DBbackup/ directory.

CWE-522 Jan 26, 2023

CVE-2022-4693 9.8 CRITICAL EPSS 0.10

The User Verification WordPress plugin before 1.0.94 was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website.

CWE-522 Jan 23, 2023

CVE-2022-38469 7.5 HIGH EPSS 0.00

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

CWE-522 Jan 18, 2023

CVE-2022-23538 5.2 MEDIUM 1 Writeup EPSS 0.00

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time.

CWE-522 Jan 17, 2023

CVE-2022-41859 7.5 HIGH 1 Writeup EPSS 0.00

In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.

CWE-522 Jan 17, 2023

CVE-2021-36204 7.8 HIGH EPSS 0.00

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

CWE-522 Jan 13, 2023

CVE-2016-15014 3.3 LOW EPSS 0.00

A vulnerability has been found in CESNET theme-cesnet up to 1.x on ownCloud and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The identifier of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability.

CWE-522 Jan 07, 2023

CVE-2022-2967 6.5 MEDIUM EPSS 0.00

Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data.

CWE-522 Jan 03, 2023

CVE-2022-22458 6.3 MEDIUM EPSS 0.00

IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.

CWE-522 Dec 22, 2022

CVE-2022-4612 4.3 MEDIUM EPSS 0.00

A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as problematic. This vulnerability affects unknown code. The manipulation leads to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216274 is the identifier assigned to this vulnerability.

CWE-522 Dec 19, 2022