CVE & Exploit Intelligence Database

CVE-2019-0182 3.3 LOW EPSS 0.00

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CWE-522 Jun 13, 2019

CVE-2019-0180 4.4 MEDIUM EPSS 0.00

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CWE-522 Jun 13, 2019

CVE-2019-0179 4.4 MEDIUM EPSS 0.00

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CWE-522 Jun 13, 2019

CVE-2019-0178 3.6 LOW EPSS 0.00

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CWE-522 Jun 13, 2019

CVE-2019-0175 4.4 MEDIUM EPSS 0.00

Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.

CWE-522 Jun 13, 2019

CVE-2019-3947 9.8 CRITICAL EPSS 0.00

Fuji Electric V-Server before 6.0.33.0 stores database credentials in project files as plaintext. An attacker that can gain access to the project file can recover the database credentials and gain access to the database server.

CWE-522 Jun 12, 2019

CVE-2019-6567 5.5 MEDIUM EPSS 0.00

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions < V5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3), SCALANCE X-414-3E (All versions). The affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation requires access to a device configuration backup and impacts confidentiality of the stored passwords.

CWE-522 Jun 12, 2019

CVE-2019-10160 9.8 CRITICAL 1 Writeup EPSS 0.01

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

CWE-172 Jun 07, 2019

CVE-2019-6452 8.8 HIGH 1 Writeup EPSS 0.00

Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password.

CWE-522 Jun 06, 2019

CVE-2019-11367 9.8 CRITICAL 1 Writeup EPSS 0.04

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully.

CWE-522 Jun 03, 2019

CVE-2019-11369 8.8 HIGH 1 PoC Analysis EPSS 0.08

An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.

CWE-522 Jun 03, 2019

CVE-2019-10981 7.8 HIGH EPSS 0.00

In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.

CWE-522 May 31, 2019

CVE-2019-10329 8.8 HIGH EPSS 0.00

Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CWE-522 May 31, 2019

CVE-2019-12452 7.5 HIGH EPSS 0.00

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by reading the Basic HTTP Authentication or Digest HTTP Authentication section, or discover a key by reading the ClientTLS section. These can be found in the JSON response to a /api request.

CWE-522 May 29, 2019

CVE-2019-4138 5.9 MEDIUM EPSS 0.00

IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334.

CWE-522 May 29, 2019

CVE-2019-5627 7.8 HIGH EPSS 0.00

The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.

CWE-522 May 22, 2019

CVE-2019-5626 7.8 HIGH EPSS 0.00

The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.

CWE-522 May 22, 2019

CVE-2019-5625 7.1 HIGH EPSS 0.00

The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.

CWE-522 May 22, 2019

CVE-2019-12046 9.8 CRITICAL EPSS 0.01

LemonLDAP::NG -2.0.3 has Incorrect Access Control.

CWE-522 May 22, 2019

CVE-2019-10139 7.8 HIGH EPSS 0.00

During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.

CWE-522 May 17, 2019