CVE & Exploit Intelligence Database

CVE-2022-22557 7.5 HIGH EPSS 0.00

PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X & T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

CWE-522 Jun 02, 2022

CVE-2022-27776 6.5 MEDIUM EPSS 0.01

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CWE-522 Jun 02, 2022

CVE-2022-27774 5.7 MEDIUM EPSS 0.00

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CWE-522 Jun 02, 2022

CVE-2022-22767 8.8 HIGH EPSS 0.00

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

CWE-522 Jun 02, 2022

CVE-2022-1413 5.4 MEDIUM 1 Writeup EPSS 0.00

Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface

CWE-522 May 19, 2022

CVE-2022-30018 8.8 HIGH 1 Writeup EPSS 0.00

Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations.

CWE-522 May 19, 2022

CVE-2022-30952 6.5 MEDIUM EPSS 0.01

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

CWE-522 May 17, 2022

CVE-2022-29588 7.5 HIGH EPSS 0.01

Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files.

CWE-522 May 16, 2022

CVE-2022-28005 9.8 CRITICAL EXPLOITED EPSS 0.25

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.

CWE-522 May 06, 2022

CVE-2021-46440 7.5 HIGH EPSS 0.03

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.

CWE-522 May 03, 2022

CVE-2022-26856 8.2 HIGH EPSS 0.00

Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application's database with privileges of the compromised account.

CWE-522 Apr 21, 2022

CVE-2022-24867 7.5 HIGH 1 Writeup EPSS 0.00

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

CWE-522 Apr 21, 2022

CVE-2022-27179 4.6 MEDIUM EPSS 0.00

A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource. If the same passwords were used for other resources, further such assets may be compromised.

CWE-522 Apr 20, 2022

CVE-2022-29457 8.8 HIGH 1 PoC Analysis EPSS 0.08

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CWE-522 Apr 18, 2022

CVE-2021-3681 5.5 MEDIUM EPSS 0.00

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

CWE-522 Apr 18, 2022

CVE-2022-29052 4.3 MEDIUM EPSS 0.00

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CWE-522 Apr 12, 2022

CVE-2022-22550 6.7 MEDIUM EPSS 0.00

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.

CWE-549 Apr 12, 2022

CVE-2022-24978 8.8 HIGH EPSS 0.00

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

CWE-319 Apr 05, 2022

CVE-2022-28651 8.4 HIGH EPSS 0.00

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields

CWE-522 Apr 05, 2022

CVE-2021-45892 5.9 MEDIUM EPSS 0.00

An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is storage of Passwords in a Recoverable Format.

CWE-522 Apr 05, 2022