Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2021-32978 7.5 HIGH EPSS 0.00

Automation Direct CLICK PLC CPU <v3.00 - Info Disclosure

The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00.

CWE-522 Apr 04, 2022

CVE-2022-1026 8.6 HIGH EXPLOITED 4 PoCs Analysis NUCLEI EPSS 0.88

Kyocera Net Viewer - Insufficiently Protected Credentials

Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.

CWE-522 Apr 04, 2022

CVE-2021-33024 3.7 LOW EPSS 0.00

Philips Vue PACS <12.2 - Info Disclosure

Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval.

CWE-522 Apr 01, 2022

CVE-2022-26948 5.8 MEDIUM EPSS 0.00

Archer <6.9.1.0 - Info Disclosure

The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability. A malicious attacker may obtain access to credential information to use it in further attacks.

CWE-522 Mar 30, 2022

CVE-2022-28141 6.5 MEDIUM EPSS 0.00

Jenkins Proxmox < 0.5.0 - Insufficiently Protected Credentials

Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CWE-522 Mar 29, 2022

CVE-2022-28135 6.5 MEDIUM EPSS 0.00

Jenkins Instant-messaging - Insufficiently Protected Credentials

Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Mar 29, 2022

CVE-2022-0738 4.2 MEDIUM EPSS 0.00

GitLab <14.6.5-14.8.2 - Info Disclosure

An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.

CWE-522 Mar 28, 2022

CVE-2022-0862 3.1 LOW EPSS 0.00

Mcafee Epolicy Orchestrator < 5.10.0 - Authentication Bypass

A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.

CWE-522 Mar 23, 2022

CVE-2022-0859 6.5 MEDIUM EPSS 0.00

Mcafee Epolicy Orchestrator - Insufficiently Protected Credentials

McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.

CWE-522 Mar 23, 2022

CVE-2020-25184 7.8 HIGH EPSS 0.00

Schneider-electric Easergy T300 Firmware - Information Disclosure

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.

CWE-522 Mar 18, 2022

CVE-2021-39046 4.9 MEDIUM EPSS 0.00

IBM Business Automation Workflow - Insufficiently Protected Credentials

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.

CWE-522 Mar 18, 2022

CVE-2022-27218 4.3 MEDIUM EPSS 0.00

Jenkins Incapptic Connect Uploader - Insufficiently Protected Crede...

Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CWE-522 Mar 15, 2022

CVE-2022-27217 6.5 MEDIUM EPSS 0.00

Jenkins Vmware Vrealize Codestream - Insufficiently Protected Crede...

Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CWE-522 Mar 15, 2022

CVE-2022-27216 6.5 MEDIUM EPSS 0.00

Jenkins Dbcharts < 0.5.2 - Insufficiently Protected Credentials

Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Mar 15, 2022

CVE-2022-27206 6.5 MEDIUM EPSS 0.00

Jenkins Gitlab Authentication - Insufficiently Protected Credentials

Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CWE-522 Mar 15, 2022

CVE-2021-23222 5.9 MEDIUM 1 Writeup EPSS 0.00

SSL - SSRF

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

CWE-522 Mar 02, 2022

CVE-2022-22908 5.5 MEDIUM 1 Writeup EPSS 0.00

Sangfor Vdi Client - Insufficiently Protected Credentials

SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields.

CWE-522 Feb 26, 2022

CVE-2022-24610 8.6 HIGH EPSS 0.00

Alecto DVC-215IP <63.1.1.173 - Info Disclosure

Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera.

CWE-522 Feb 24, 2022

CVE-2022-24982 6.5 MEDIUM EPSS 0.00

Jqueryform < 2022-02-05 - Insufficiently Protected Credentials

Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users. admin.php contains a hidden base64-encoded string with these credentials.

CWE-522 Feb 16, 2022

CVE-2022-25184 6.5 MEDIUM EPSS 0.00

Jenkins Pipeline < 2.15 - Insufficiently Protected Credentials

Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

CWE-522 Feb 15, 2022

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps