CVE & Exploit Intelligence Database

CVE-2012-6663 7.5 HIGH 1 PoC Analysis EPSS 0.23

General Electric D20ME devices are not properly configured and reveal plaintext passwords.

CWE-522 Jan 23, 2020

CVE-2019-19898 7.5 HIGH EPSS 0.00

In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely.

CWE-319 Jan 23, 2020

CVE-2019-19843 9.8 CRITICAL EPSS 0.01

Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.

CWE-552 Jan 22, 2020

CVE-2020-7233 9.8 CRITICAL EPSS 0.00

KMS Controls BAC-A1616BC BACnet devices have a cleartext password of snowman in the BACKDOOR_NAME variable in the BC_Logon.swf file.

CWE-522 Jan 19, 2020

CVE-2019-19696 5.5 MEDIUM EPSS 0.00

A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishing sites.

CWE-522 Jan 18, 2020

CVE-2019-12423 7.5 HIGH EPSS 0.01

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.

CWE-522 Jan 16, 2020

CVE-2020-2095 4.3 MEDIUM EPSS 0.00

Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Jan 15, 2020

CVE-2014-6039 7.5 HIGH 1 PoC Analysis EPSS 0.84

ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.

CWE-522 Jan 13, 2020

CVE-2014-5381 9.8 CRITICAL 1 PoC Analysis EPSS 0.46

Grand MA 300 allows a brute-force attack on the PIN.

CWE-522 Jan 13, 2020

CVE-2012-3823 7.5 HIGH EPSS 0.00

Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved.

CWE-522 Jan 10, 2020

CVE-2019-4508 7.8 HIGH EPSS 0.00

IBM QRadar SIEM 7.3.0 through 7.3.3 uses weak credential storage in some instances which could be decrypted by a local attacker. IBM X-Force ID: 164429.

CWE-522 Jan 10, 2020

CVE-2014-5093 9.8 CRITICAL 1 PoC Analysis EPSS 0.12

Status2k does not remove the install directory allowing credential reset.

CWE-522 Jan 10, 2020

CVE-2019-6700 6.5 MEDIUM EPSS 0.00

An information exposure vulnerability in the external authentication profile form of FortiSIEM 5.2.2 and earlier may allow an authenticated attacker to retrieve the external authentication password via the HTML source code.

CWE-522 Jan 07, 2020

CVE-2019-5990 7.5 HIGH EPSS 0.01

Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allow remote attackers to obtain a login password via HTTP referer.

CWE-522 Jan 06, 2020

CVE-2019-19310 4.9 MEDIUM EPSS 0.00

GitLab Enterprise Edition (EE) 9.0 and later through 12.5 allows Information Disclosure.

CWE-522 Jan 03, 2020

CVE-2013-3620 7.5 HIGH EPSS 0.02

Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312.

CWE-522 Jan 02, 2020

CVE-2019-10205 6.3 MEDIUM EPSS 0.00

A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.

CWE-522 Jan 02, 2020

CVE-2019-4335 5.5 MEDIUM EPSS 0.00

IBM Watson Studio Local 1.2.3 stores key files in the user's home directory which could be obtained by another local user. IBM X-Force ID: 161413.

CWE-522 Dec 30, 2019

CVE-2019-20047 7.5 HIGH 1 PoC Analysis EPSS 0.03

An issue was discovered on Alcatel-Lucent OmniVista 4760 devices, and 8770 devices before 4.1.2. An incorrect web server configuration allows a remote unauthenticated attacker to retrieve the content of its own session files. Every session file contains the administrative LDAP credentials encoded in a reversible format. Sessions are stored in /sessions/sess_<sessionid>.

CWE-522 Dec 27, 2019

CVE-2019-6024 6.5 MEDIUM EPSS 0.00

Rakuma App for Android version 7.15.0 and earlier, and for iOS version 7.16.4 and earlier allows an attacker to bypass authentication and obtain the user's authentication information via a malicious application created by the third party.

CWE-522 Dec 26, 2019