CVE & Exploit Intelligence Database

CVE-2021-1126 5.5 MEDIUM EPSS 0.00

A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server.

CWE-522 Jan 13, 2021

CVE-2020-4602 4.4 MEDIUM EPSS 0.00

IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184836.

CWE-522 Jan 13, 2021

CVE-2021-21614 5.5 MEDIUM EPSS 0.00

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jan 13, 2021

CVE-2021-21612 5.5 MEDIUM EPSS 0.00

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jan 13, 2021

CVE-2020-28390 5.5 MEDIUM EPSS 0.00

A vulnerability has been identified in Opcenter Execution Core (V8.2), Opcenter Execution Core (V8.3). The application contains an information leakage vulnerability in the handling of web client sessions. A local attacker who has access to the Web Client Session Storage could disclose the passwords of currently logged-in users.

CWE-522 Jan 12, 2021

CVE-2020-4913 4.4 MEDIUM EPSS 0.00

IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. IBM X-Force ID: 191288.

CWE-522 Jan 04, 2021

CVE-2020-2499 6.3 MEDIUM EPSS 0.00

A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later.

CWE-522 Dec 24, 2020

CVE-2020-29583 9.8 CRITICAL KEV 1 PoC Analysis NUCLEI EPSS 0.94

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CWE-522 Dec 22, 2020

CVE-2020-24680 7.0 HIGH EPSS 0.00

In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.

CWE-522 Dec 22, 2020

CVE-2020-27781 7.1 HIGH EPSS 0.00

User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.

CWE-522 Dec 18, 2020

CVE-2019-14480 9.8 CRITICAL EPSS 0.00

AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.

CWE-311 Dec 16, 2020

CVE-2019-14477 5.5 MEDIUM EPSS 0.00

AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the internal user database is readable by low-privileged users and passwords in the database are weakly encoded or encrypted.

CWE-522 Dec 16, 2020

CVE-2020-25235 7.5 HIGH EPSS 0.00

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The password used for authentication for the LOGO! Website and the LOGO! Access Tool is sent in a recoverable format. An attacker with access to the network traffic could derive valid logins.

CWE-522 Dec 14, 2020

CVE-2020-25175 9.8 CRITICAL EPSS 0.00

GE Healthcare Imaging and Ultrasound Products may allow specific credentials to be exposed during transport over the network.

CWE-523 Dec 14, 2020

CVE-2020-28219 7.8 HIGH EPSS 0.00

A CWE-522: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) and EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1), that could cause exposure of credentials to server-side users when web users are logged in to Virtual ViewX.

CWE-522 Dec 11, 2020

CVE-2020-29380 5.9 MEDIUM EPSS 0.00

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-the-middle attack on the management of the appliance.

CWE-319 Nov 29, 2020

CVE-2020-29054 9.8 CRITICAL EPSS 0.00

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. Attackers can use "show system infor" to discover cleartext TELNET credentials.

CWE-522 Nov 24, 2020

CVE-2020-28330 6.5 MEDIUM EPSS 0.00

Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device.

CWE-522 Nov 24, 2020

CVE-2020-24227 7.5 HIGH 1 PoC Analysis EPSS 0.01

Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password.

CWE-522 Nov 23, 2020

CVE-2020-26079 4.9 MEDIUM EPSS 0.00

A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device. The vulnerability is due to insufficient protection of user credentials. An attacker could exploit this vulnerability by logging in as an administrative user and crafting a call for user information. A successful exploit could allow the attacker to obtain hashes of user passwords on an affected device.

CWE-522 Nov 18, 2020