Total
733 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9593 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2024-11-21 | 4.0 MEDIUM | 4.7 MEDIUM |
| foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems. | |||||
| CVE-2016-9489 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password. | |||||
| CVE-2016-8616 | 1 Haxx | 1 Curl | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. | |||||
| CVE-2016-8366 | 1 Phoenixcontact | 2 Ilc Plcs, Ilc Plcs Firmware | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| Webvisit in Phoenix Contact ILC PLCs offers a password macro to protect HMI pages on the PLC against casual or coincidental opening of HMI pages by the user. The password macro can be configured in a way that the password is stored and transferred in clear text. | |||||
| CVE-2016-6599 | 1 Bmc | 1 Track-it\! | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments. | |||||
| CVE-2016-6554 | 1 Synology | 6 Ds107, Ds107 Firmware, Ds116 and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device. | |||||
| CVE-2016-6553 | 1 Nuuo | 2 Nt-4040 Titan, Nt-4040 Titan Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Nuuo NT-4040 Titan, firmware NT-4040_01.07.0000.0015_1120, uses non-random default credentials of: admin:admin and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. | |||||
| CVE-2016-6552 | 1 Greenpacket | 2 Dx-350, Dx-350 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Green Packet DX-350 uses non-random default credentials of: root:wimax. A remote network attacker can gain privileged access to a vulnerable device. | |||||
| CVE-2016-6551 | 1 Intelliantech | 26 T100q, T100q Firmware, T100w and 23 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses non-random default credentials of: ftp/ftp or intellian:12345678. A remote network attacker can gain elevated access to a vulnerable device. | |||||
| CVE-2016-6547 | 1 Nutspace | 1 Nut Mobile | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. | |||||
| CVE-2016-6546 | 1 Kkmcn | 1 Itrackeasy | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext. | |||||
| CVE-2016-6538 | 1 Thetrackr | 2 Trackr Bravo, Trackr Bravo Firmware | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
| The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541. | |||||
| CVE-2016-3952 | 1 Web2py | 1 Web2py | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access. | |||||
| CVE-2016-10821 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In cPanel before 55.9999.141, Scripts/addpop reveals a command-line password in a process list (SEC-75). | |||||
| CVE-2016-10791 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559). | |||||
| CVE-2016-10526 | 1 Grunt-gh-pages Project | 1 Grunt-gh-pages | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised. | |||||
| CVE-2016-0898 | 1 Vmware | 1 Pivotal Software Mysql | 2024-11-21 | 5.0 MEDIUM | 10.0 CRITICAL |
| MySQL for PCF tiles 1.7.x before 1.7.10 were discovered to log the AWS access key in plaintext. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM. | |||||
| CVE-2015-9278 | 1 Mailenable | 1 Mailenable | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of %0A mishandling in AUTH.TAB after a password-change request. | |||||
| CVE-2015-9240 | 1 Keystonejs | 1 Keystone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in. | |||||
| CVE-2015-4400 | 1 Ring | 2 Ring, Ring Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainSpan Wi-Fi module. | |||||