Total
1151 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26844 | 1 Intel | 1 Single Event Api | 2025-02-25 | N/A | 7.8 HIGH |
| Insufficiently protected credentials in the installation binaries for Intel(R) SEAPI in all versions may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-30296 | 1 Intel | 1 Datacenter Group Event | 2025-02-25 | N/A | 7.5 HIGH |
| Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2024-37362 | 2025-02-20 | N/A | 6.3 MEDIUM | ||
| The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift. Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation. | |||||
| CVE-2022-29507 | 1 Intel | 1 Team Blue | 2025-02-18 | N/A | 5.5 MEDIUM |
| Insufficiently protected credentials in the Intel(R) Team Blue mobile application in all versions may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2025-0867 | 2025-02-14 | N/A | 9.9 CRITICAL | ||
| The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level. | |||||
| CVE-2023-50291 | 1 Apache | 1 Solr | 2025-02-13 | N/A | 7.5 HIGH |
| Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' | |||||
| CVE-2023-29055 | 1 Apache | 1 Kylin | 2025-02-13 | N/A | 7.5 HIGH |
| In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials. To avoid this threat, users are recommended to * Always turn on HTTPS so that network payload is encrypted. * Avoid putting credentials in kylin.properties, or at least not in plain text. * Use network firewalls to protect the serverside such that it is not accessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface. | |||||
| CVE-2023-25413 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2025-02-11 | N/A | 7.5 HIGH |
| Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Telnet and SNMP credentials. | |||||
| CVE-2023-25407 | 1 Aten | 2 Pe8108, Pe8108 Firmware | 2025-02-11 | N/A | 7.2 HIGH |
| Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have read access to administrator credentials. | |||||
| CVE-2025-26492 | 2025-02-11 | N/A | 7.7 HIGH | ||
| In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources | |||||
| CVE-2024-21815 | 1 Gallagher | 1 Command Centre | 2025-02-10 | N/A | 9.1 CRITICAL |
| Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior. | |||||
| CVE-2024-3543 | 1 Progress | 1 Loadmaster | 2025-02-10 | N/A | 6.4 MEDIUM |
| Use of reversible password encryption algorithm allows attackers to decrypt passwords. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system. | |||||
| CVE-2024-4536 | 1 Eclipse | 1 Edc Connector | 2025-02-06 | N/A | 6.8 MEDIUM |
| In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL. This feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented. | |||||
| CVE-2022-26341 | 1 Intel | 3 Active Management Technology Software Development Kit, Endpoint Management Assistant, Manageability Commander | 2025-02-05 | N/A | 8.2 HIGH |
| Insufficiently protected credentials in software in Intel(R) AMT SDK before version 16.0.4.1, Intel(R) EMA before version 1.7.1 and Intel(R) MC before version 2.3.2 may allow an authenticated user to potentially enable escalation of privilege via network access. | |||||
| CVE-2023-25760 | 1 Uniguest | 1 Tripleplay | 2025-02-05 | N/A | 8.8 HIGH |
| Incorrect Access Control in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated user to modify other users passwords via a crafted request payload | |||||
| CVE-2022-4308 | 1 Secomea | 1 Gatemanager | 2025-02-05 | N/A | 6.1 MEDIUM |
| Plaintext Storage of a Password vulnerability in Secomea GateManager (USB wizard) allows Authentication abuse on SiteManager, if the generated file is leaked. | |||||
| CVE-2024-7389 | 1 Incsub | 1 Forminator | 2025-02-05 | N/A | 7.5 HIGH |
| The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration. | |||||
| CVE-2021-33589 | 1 Ribose | 1 Rnp | 2025-02-04 | N/A | 7.5 HIGH |
| Ribose RNP before 0.15.1 does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than on the tin of the algorithm. | |||||
| CVE-2024-42012 | 2025-02-04 | N/A | 5.7 MEDIUM | ||
| GRAU DATA Blocky before 3.1 stores passwords encrypted rather than hashed. At the login screen, the user's password is compared to the user's decrypted cleartext password. An attacker with Windows admin or debugging rights can therefore steal the user's Blocky password and from there impersonate that local user. | |||||
| CVE-2023-28131 | 1 Expo | 1 Expo Software Development Kit | 2025-02-04 | N/A | 9.6 CRITICAL |
| A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc). | |||||