CVE & Exploit Intelligence Database

CVE-2017-3962 5.6 MEDIUM EPSS 0.00

Password recovery exploitation vulnerability in the non-certificate-based authentication mechanism in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to crack user passwords via unsalted hashes.

CWE-916 Jun 12, 2018

CVE-2018-9233 7.8 HIGH 1 PoC Analysis EPSS 0.00

Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches.

CWE-916 Apr 05, 2018

CVE-2018-1447 5.1 MEDIUM EPSS 0.00

The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.

CWE-916 Apr 04, 2018

CVE-2017-11131 5.9 MEDIUM EPSS 0.00

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SHA-512 without a salt or another key-derivation mechanism to enable a secure secret for authentication. Moreover, only the first 32 bytes of the hash are used. This allows for easy dictionary and rainbow-table attacks if an attacker has access to the password hash.

CWE-916 Aug 01, 2017

CVE-2014-2354 EPSS 0.00

Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

CWE-255 May 30, 2014

CVE-2008-1526 7.5 HIGH EPSS 0.00

ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords.

CWE-916 Mar 26, 2008

CVE-2006-1058 5.5 MEDIUM EPSS 0.00

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.

CWE-916 Apr 04, 2006

CVE-2005-0408 9.8 CRITICAL 1 PoC Analysis EPSS 0.03

CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.

CWE-916 Feb 14, 2005

CVE-2002-1657 7.5 HIGH EPSS 0.01

PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.

CWE-916 Dec 31, 2002

CVE-2001-0967 9.8 CRITICAL EPSS 0.00

Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing.

CWE-916 Aug 31, 2001