Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2019-3431 9.8 CRITICAL EPSS 0.00

ZTE Zxcloud Goldendata Vap - Insufficiently Protected Credentials

All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers could sniff unencrypted account and password through the network for front-end system access.

CWE-522 Dec 23, 2019

CVE-2019-18615 4.9 MEDIUM EPSS 0.00

CloudVision Portal <2018.2 - Info Disclosure

In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application.

CWE-522 Dec 19, 2019

CVE-2019-18572 9.8 CRITICAL EPSS 0.01

RSA Identity Governance and Lifecycle <7.1.1 P03 - Auth Bypass

The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain an Improper Authentication vulnerability. A Java JMX agent running on the remote host is configured with plain text password authentication. An unauthenticated remote attacker can connect to the JMX agent and monitor and manage the Java application.

CWE-522 Dec 18, 2019

CVE-2019-19890 7.5 HIGH 1 Writeup EPSS 0.00

Humaxdigital Hgb10r-02 Firmware - Cleartext Transmission

An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP.

CWE-319 Dec 18, 2019

CVE-2019-16572 5.5 MEDIUM EPSS 0.00

Jenkins Weibo Plugin <1.0.1 - Info Disclosure

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-1024 Dec 17, 2019

CVE-2019-16557 6.5 MEDIUM EPSS 0.00

Jenkins Redgate SQL Change Automation Plugin <2.0.3 - Info Disclosure

Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Dec 17, 2019

CVE-2019-16556 6.5 MEDIUM EPSS 0.00

Jenkins Rundeck Plugin <3.6.5 - Info Disclosure

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Dec 17, 2019

CVE-2014-0241 5.5 MEDIUM EPSS 0.00

rubygem-hammer_cli_foreman - Info Disclosure

rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable

CWE-522 Dec 13, 2019

CVE-2019-19687 8.8 HIGH EPSS 0.01

OpenStack Keystone 15.0.0-16.0.0 - Info Disclosure

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

CWE-522 Dec 09, 2019

CVE-2019-16673 6.5 MEDIUM EPSS 0.00

Weidmueller IE-SW-VL05M <3.6.6, IE-SW-VL08MT <3.5.2, IE-SW-PL10M <3...

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Passwords are stored in cleartext and can be read by anyone with access to the device.

CWE-522 Dec 06, 2019

CVE-2019-16672 9.8 CRITICAL EPSS 0.00

Weidmueller IE-SW-VL05M <3.6.6 - Info Disclosure

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext.

CWE-319 Dec 06, 2019

CVE-2013-2106 7.5 HIGH EPSS 0.00

Stanford Webauth < 4.6.1 - Insufficiently Protected Credentials

webauth before 4.6.1 has authentication credential disclosure

CWE-522 Dec 03, 2019

CVE-2019-10224 4.6 MEDIUM EPSS 0.00

389-ds-base <1.4.1.3 - Info Disclosure

A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.

CWE-522 Nov 25, 2019

CVE-2012-5527 5.5 MEDIUM EPSS 0.03

Claws Mail vCalendar plugin - Info Disclosure

Claws Mail vCalendar plugin: credentials exposed on interface

CWE-522 Nov 25, 2019

CVE-2019-10214 5.9 MEDIUM EPSS 0.00

Containers/image - Info Disclosure

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.

CWE-522 Nov 25, 2019

CVE-2019-10206 6.5 MEDIUM EPSS 0.00

Ansible <2.8.4, <2.7.13, <2.6.19 - Info Disclosure

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

CWE-522 Nov 22, 2019

CVE-2013-3313 7.5 HIGH 1 PoC Analysis EPSS 0.02

Loftek Nexus 543 IP Camera - Info Disclosure

The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-3311.

CWE-522 Nov 21, 2019

CVE-2019-16544 8.8 HIGH EPSS 0.00

Jenkins QMetry for JIRA - Test Mgmt Plugin <1.12 - Info Disclosure

Jenkins QMetry for JIRA - Test Management Plugin 1.12 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Nov 21, 2019

CVE-2019-16543 5.5 MEDIUM EPSS 0.00

Jenkins Spira Importer Plugin <3.2.2 - Info Disclosure

Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-522 Nov 21, 2019

CVE-2019-16542 6.5 MEDIUM EPSS 0.00

Jenkins Anchore Container Image Scanner Plugin <1.0.19 - Info Discl...

Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Nov 21, 2019

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps