Total
659 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27532 | 2025-04-30 | 6.5 Medium | ||
| A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests. | ||||
| CVE-2022-24188 | 1 Sz-fujia | 1 Ourphoto | 2025-04-29 | 7.5 High |
| The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality. | ||||
| CVE-2022-2513 | 1 Hitachienergy | 6 650connectivitypackage, 670connectivitypackage, Gms600connectivitypackage and 3 more | 2025-04-25 | 7.1 High |
| A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs. | ||||
| CVE-2022-25164 | 1 Mitsubishielectric | 2 Gx Works3, Mx Opc Ua Module Configurator-r | 2025-04-25 | 8.6 High |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module. | ||||
| CVE-2022-29826 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-04-25 | 6.8 Medium |
| Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.087R and Motion Control Setting(GX Works3 related software) versions from 1.000A to 1.042U allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | ||||
| CVE-2022-29832 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-04-25 | 3.7 Low |
| Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could obtain information about the project file for MELSEC safety CPU modules or project file for MELSEC Q/FX/L series with security setting. | ||||
| CVE-2022-35120 | 1 Ixpdata | 1 Easyinstall | 2025-04-24 | 8.8 High |
| IXPdata EasyInstall 6.6.14725 contains an access control issue. | ||||
| CVE-2024-42451 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | 6.5 Medium |
| A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform. | ||||
| CVE-2023-50957 | 1 Ibm | 1 Storage Defender Resiliency Service | 2025-04-24 | 8 High |
| IBM Storage Defender - Resiliency Service 2.0 could allow a privileged user to perform unauthorized actions after obtaining encrypted data from clear text key storage. IBM X-Force ID: 275783. | ||||
| CVE-2020-11918 | 1 Svakom | 2 Svakom Siime Eye, Svakom Siime Eye Firmware | 2025-04-24 | 5.4 Medium |
| An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file. | ||||
| CVE-2022-39351 | 1 Owasp | 1 Dependency-track | 2025-04-23 | 4.4 Medium |
| Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage. | ||||
| CVE-2022-41933 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 6.2 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the "Forgot your password" link in the login view: the features allowing a user to change their password, or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing to perform data leak of personal data from users, such as GHSA-599v-w48h-rjrm. Note that this vulnerability only concerns the users of the main wiki: in case of farms, the users registered on subwiki are not impacted thanks to a bug we discovered when investigating this. The problem has been patched in version 14.6RC1, 14.4.3 and 13.10.8. The patch involves a migration of the impacted users as well as the history of the page, to ensure no password remains in plain text in the database. This migration also involves to inform the users about the possible disclosure of their passwords: by default, two emails are automatically sent to the impacted users. A first email to inform about the possibility that their password have been leaked, and a second email using the reset password feature to ask them to set a new password. It's also possible for administrators to set some properties for the migration: it's possible to decide if the user password should be reset (default) or if the passwords should be kept but only hashed. Note that in the first option, the users won't be able to login anymore until they set a new password if they were impacted. Note that in both options, mails will be sent to users to inform them and encourage them to change their passwords. | ||||
| CVE-2022-46155 | 1 Airtable | 1 Airtable | 2025-04-23 | 7.6 High |
| Airtable.js is the JavaScript client for Airtable. Prior to version 0.11.6, Airtable.js had a misconfigured build script in its source package. When the build script is run, it would bundle environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE_API_KEY and AIRTABLE_ENDPOINT_URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This only affects copies of Airtable.js built from its source, not those installed via npm or yarn. Airtable API keys set in users’ environments via the AIRTABLE_API_KEY environment variable may be bundled into local copies of Airtable.js source code if all of the following conditions are met: 1) the user has cloned the Airtable.js source onto their machine, 2) the user runs the `npm prepare` script, and 3) the user' has the AIRTABLE_API_KEY environment variable set. If these conditions are met, a user’s local build of Airtable.js would be modified to include the value of the AIRTABLE_API_KEY environment variable, which could then be accidentally shipped in the bundled code. Users who do not meet all three of these conditions are not impacted by this issue. Users should upgrade to Airtable.js version 0.11.6 or higher; or, as a workaround unset the AIRTABLE_API_KEY environment variable in their shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Users should also regenerate any Airtable API keys they use, as the keysy may be present in bundled code. | ||||
| CVE-2022-31004 | 1 Mitre | 1 Cve-services | 2025-04-22 | 7.5 High |
| CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch. | ||||
| CVE-2022-39364 | 1 Nextcloud | 2 Nextcloud Enterprise Server, Nextcloud Server | 2025-04-22 | 4 Medium |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`. | ||||
| CVE-2022-31697 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-04-22 | 5.5 Medium |
| The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation. | ||||
| CVE-2022-43958 | 1 Siemens | 1 Qms Automotive | 2025-04-21 | 7.6 High |
| A vulnerability has been identified in QMS Automotive (All versions < V12.39), QMS Automotive (All versions < V12.39). User credentials are stored in plaintext in the database without any hashing mechanism. This could allow an attacker to gain access to credentials and impersonate other users. | ||||
| CVE-2017-14941 | 1 Jaspersoft | 1 Jasperreports | 2025-04-20 | N/A |
| Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure vulnerability, which allows a remote authenticated user to retrieve stored Data Source passwords by accessing flow.html and reading the HTML source code of the page reached in an Edit action for a Data Source connector. | ||||
| CVE-2016-6341 | 1 Ovirt | 1 Ovirt | 2025-04-20 | N/A |
| oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files. | ||||
| CVE-2017-2723 | 1 Huawei | 1 Files | 2025-04-20 | N/A |
| The Files APP 7.1.1.308 and earlier versions in some Huawei mobile phones has a vulnerability of plaintext storage of users' Safe passwords. An attacker with the root privilege of an Android system could forge the Safe to read users' plaintext Safe passwords, leading to information leak. | ||||