CVE & Exploit Intelligence Database

CVE-2018-20243 7.5 HIGH EPSS 0.01

The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629.

CWE-522 Oct 13, 2020

CVE-2020-13344 5.7 MEDIUM EPSS 0.00

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis

CWE-522 Oct 08, 2020

CVE-2020-2297 3.3 LOW EPSS 0.00

Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CWE-522 Oct 08, 2020

CVE-2020-2291 3.3 LOW EPSS 0.00

Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CWE-522 Oct 08, 2020

CVE-2020-26149 7.5 HIGH 1 Writeup EPSS 0.00

NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server.

CWE-522 Sep 30, 2020

CVE-2019-16211 9.8 CRITICAL EPSS 0.00

Brocade SANnav versions before v2.1.0, contain a Plaintext Password Storage vulnerability.

CWE-522 Sep 25, 2020

CVE-2020-7945 5.5 MEDIUM EPSS 0.00

Local registry credentials were included directly in the CD4PE deployment definition, which could expose these credentials to users who should not have access to them. This is resolved in Continuous Delivery for Puppet Enterprise 4.0.1.

CWE-522 Sep 18, 2020

CVE-2020-8339 4.3 MEDIUM EPSS 0.00

A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.

CWE-522 Sep 15, 2020

CVE-2020-16097 7.3 HIGH EPSS 0.00

On controllers running versions of v8.20 prior to vCR8.20.200221b (distributed in v8.20.1093(MR2)), v8.10 prior to vGR8.10.179 (distributed in v8.10.1211(MR5)), v8.00 prior to vGR8.00.165 (Distributed in v8.00.1228(MR6)), v7.90 prior to vGR7.90.165 (distributed in v7.90.1038(MRX)), v7.80 or earlier, It is possible to retrieve site keys used for securing MIFARE Plus and Desfire using debug ports on T Series readers.

CWE-522 Sep 15, 2020

CVE-2020-15791 6.5 MEDIUM EPSS 0.00

A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 CPU family (incl. SIPLUS variants) (All versions), SIMATIC WinAC RTX (F) 2010 (All versions), SINUMERIK 840D sl (All versions). The authentication protocol between a client and a PLC via port 102/tcp (ISO-TSAP) insufficiently protects the transmitted password. This could allow an attacker that is able to intercept the network traffic to obtain valid PLC credentials.

CWE-522 Sep 09, 2020

CVE-2020-7299 5.0 MEDIUM EPSS 0.00

Cleartext Storage of Sensitive Information in Memory vulnerability in Microsoft Windows client in McAfee True Key (TK) prior to 6.2.109.2 allows a local user logged in with administrative privileges to access to another user’s passwords on the same machine via triggering a process dump in specific situations.

CWE-522 Sep 04, 2020

CVE-2020-3547 4.3 MEDIUM EPSS 0.00

A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because an insecure method is used to mask certain passwords on the web-based management interface. An attacker could exploit this vulnerability by looking at the raw HTML code that is received from the interface. A successful exploit could allow the attacker to obtain some of the passwords configured throughout the interface.

CWE-522 Sep 04, 2020

CVE-2020-6874 9.1 CRITICAL EPSS 0.00

A ZTE product is impacted by the cryptographic issues vulnerability. The encryption algorithm is not properly used, so remote attackers could use this vulnerability for account credential enumeration attack or brute-force attack for password guessing. This affects: ZXIPTV, ZXIPTV-WEB-PV5.09.08.04.

CWE-522 Sep 01, 2020

CVE-2019-4697 6.5 MEDIUM EPSS 0.00

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 171938.

CWE-522 Aug 26, 2020

CVE-2019-4693 4.4 MEDIUM EPSS 0.00

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by a local privileged user. IBM X-Force ID: 171831.

CWE-522 Aug 26, 2020

CVE-2020-24622 4.9 MEDIUM EPSS 0.00

In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user.

CWE-522 Aug 25, 2020

CVE-2020-4593 4.4 MEDIUM EPSS 0.00

IBM Security Guardium Insights 2.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184747.

CWE-522 Aug 24, 2020

CVE-2020-16280 5.5 MEDIUM EPSS 0.00

Multiple Rangee GmbH RangeeOS 8.0.4 modules store credentials in plaintext including credentials of users for several external facing administrative services, domain joined users, and local administrators. To exploit the vulnerability a local attacker must have access to the underlying operating system.

CWE-522 Aug 20, 2020

CVE-2020-8210 7.5 HIGH EPSS 0.00

Insufficient protection of secrets in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 discloses credentials of a service account.

CWE-522 Aug 17, 2020

CVE-2020-7307 5.2 MEDIUM EPSS 0.00

Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.

CWE-522 Aug 13, 2020