Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2019-5534 7.7 HIGH EPSS 0.00

Vmware Vcenter Server - Information Disclosure

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

CWE-522 Sep 18, 2019

CVE-2018-7820 9.8 CRITICAL EPSS 0.00

APC UPS Network Management Card 2 AOS <6.5.6 - Info Disclosure

A Credentials Management CWE-255 vulnerability exists in the APC UPS Network Management Card 2 AOS v6.5.6, which could cause Remote Monitoring Credentials to be viewed in plaintext when Remote Monitoring is enabled, and then disabled.

CWE-522 Sep 17, 2019

CVE-2019-10398 5.5 MEDIUM EPSS 0.00

Jenkins Beaker Builder < 1.9 - Insufficiently Protected Credentials

Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

CWE-522 Sep 12, 2019

CVE-2019-11769 7.8 HIGH EPSS 0.00

TeamViewer 14.2.2558 - Privilege Escalation

An issue was discovered in TeamViewer 14.2.2558. Updating the product as a non-administrative user requires entering administrative credentials into the GUI. Subsequently, these credentials are processed in Teamviewer.exe, which allows any application running in the same non-administrative user context to intercept them in cleartext within process memory. By using this technique, a local attacker is able to obtain administrative credentials in order to elevate privileges. This vulnerability can be exploited by injecting code into Teamviewer.exe which intercepts calls to GetWindowTextW and logs the processed credentials.

CWE-522 Sep 11, 2019

CVE-2019-13349 4.9 MEDIUM EPSS 0.01

Knowage < 6.1.1 - Insufficiently Protected Credentials

In Knowage through 6.1.1, an authenticated user that accesses the users page will obtain all user password hashes.

CWE-522 Sep 05, 2019

CVE-2019-13348 8.8 HIGH EPSS 0.01

ENG Knowage < 6.4 - Insufficiently Protected Credentials

In Knowage through 6.1.1, an authenticated user who accesses the datasources page will gain access to any data source credentials in cleartext, which includes databases.

CWE-522 Aug 28, 2019

CVE-2019-13421 4.9 MEDIUM EPSS 0.00

Search-guard Search Guard < 23.1 - Information Disclosure

Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.

CWE-522 Aug 23, 2019

CVE-2019-10960 7.5 HIGH EPSS 0.00

Zebra Zt610 Firmware - Insufficiently Protected Credentials

Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel.

CWE-522 Aug 20, 2019

CVE-2019-3753 6.5 MEDIUM EPSS 0.00

Dell Emc Powerconnect 8024 Firmware - Insufficiently Protected Cred...

Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K running firmware versions prior to 5.1.15.2 contain a plain-text password storage vulnerability. TACACS\Radius credentials are stored in plain text in the system settings menu. An authenticated malicious user with access to the system settings menu may obtain the exposed password to use it in further attacks.

CWE-522 Aug 20, 2019

CVE-2019-15052 9.8 CRITICAL EPSS 0.00

Gradle < 5.6 - Insufficiently Protected Credentials

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

CWE-522 Aug 14, 2019

CVE-2019-10385 6.5 MEDIUM EPSS 0.00

Jenkins Eggplant < 2.2 - Insufficiently Protected Credentials

Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Aug 07, 2019

CVE-2019-10379 6.5 MEDIUM EPSS 0.00

Google Cloud Messaging Notification < 1.0 - Insufficiently Protected Credentials

Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-522 Aug 07, 2019

CVE-2019-10378 5.3 MEDIUM EPSS 0.00

Jenkins Testlink < 3.16 - Insufficiently Protected Credentials

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-522 Aug 07, 2019

CVE-2019-14709 9.8 CRITICAL EPSS 0.00

MicroDigital N-series <6400.0.8.5 - Info Disclosure

A cleartext password storage issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. The file in question is /usr/local/ipsca/mipsca.db. If a camera is compromised, the attacker can gain access to passwords and abuse them to compromise further systems.

CWE-522 Aug 06, 2019

CVE-2019-3800 6.3 MEDIUM EPSS 0.00

Pivotal Cloud Foundry Command Line Interface - Information Disclosure

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CWE-522 Aug 05, 2019

CVE-2019-10366 6.5 MEDIUM EPSS 0.00

Jenkins Skytap Cloud CI < 2.06 - Insufficiently Protected Credentials

Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

CWE-522 Jul 31, 2019

CVE-2019-10361 5.5 MEDIUM EPSS 0.00

Jenkins M2release < 0.14.0 - Insufficiently Protected Credentials

Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

CWE-522 Jul 31, 2019

CVE-2019-10345 5.5 MEDIUM EPSS 0.00

Jenkins Configuration AS Code - Insufficiently Protected Credentials

Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.

CWE-522 Jul 31, 2019

CVE-2019-1020009 7.5 HIGH EPSS 0.00

Fleet <2.1.2 - Info Disclosure

Fleet before 2.1.2 allows exposure of SMTP credentials.

CWE-522 Jul 29, 2019

CVE-2019-1010241 6.5 MEDIUM EPSS 0.00

Jenkins Credentials Binding Plugin 1.17 - Info Disclosure

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.

CWE-522 Jul 19, 2019

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps