Filtered by CWE-522
Total 1210 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-0760 2025-02-26 2.7 Low
A Credential Disclosure vulnerability exists where an administrator could extract the stored SMTP account credentials due to lack of encryption.
CVE-2023-1574 1 Devolutions 1 Remote Desktop Manager 2025-02-25 6.5 Medium
Information disclosure in the user creation feature of a MSSQL data source in Devolutions Remote Desktop Manager 2023.1.9 and below on Windows allows an attacker with access to the user interface to obtain sensitive information via the error message dialog that displays the password in clear text.
CVE-2022-26844 1 Intel 1 Single Event Api 2025-02-25 7.8 High
Insufficiently protected credentials in the installation binaries for Intel(R) SEAPI in all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-30296 1 Intel 1 Datacenter Group Event 2025-02-25 7.5 High
Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access.
CVE-2025-0867 2025-02-21 9.9 Critical
The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
CVE-2024-37362 2025-02-20 6.3 Medium
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.   Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.
CVE-2022-29507 1 Intel 1 Team Blue 2025-02-18 5.5 Medium
Insufficiently protected credentials in the Intel(R) Team Blue mobile application in all versions may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2024-5657 1 Born05 1 Two-factor Authentication 2025-02-13 3.7 Low
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
CVE-2024-37051 1 Jetbrains 13 Aqua, Clion, Datagrip and 10 more 2025-02-13 9.3 Critical
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4
CVE-2024-34147 1 Jenkins 1 Jenkins-telegram-bot 2025-02-13 4.3 Medium
Jenkins Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
CVE-2023-50770 1 Jenkins 1 Openid 2025-02-13 6.7 Medium
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
CVE-2023-49653 1 Jenkins 1 Jira 2025-02-13 6.5 Medium
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
CVE-2023-30846 1 Microsoft 1 Typed-rest-client 2025-02-13 9.1 Critical
typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.
CVE-2022-4926 2 Fedoraproject, Google 3 Fedora, Android, Chrome 2025-02-13 6.5 Medium
Insufficient policy enforcement in Intents in Google Chrome on Android prior to 109.0.5414.119 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-36081 2025-02-13 9.8 Critical
Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.
CVE-2024-33849 2025-02-13 6.5 Medium
ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.
CVE-2025-0619 2025-02-12 N/A
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
CVE-2025-0498 2025-02-12 N/A
A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.
CVE-2025-0497 2025-02-12 N/A
A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.
CVE-2025-0477 2025-02-12 N/A
An encryption vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.