Total
1111 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3480 | 2025-05-22 | N/A | 5.3 MEDIUM | ||
| MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of MedDream WEB DICOM Viewer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Web Portal. The issue results from the lack of encryption when transmitting credentials. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-25842. | |||||
| CVE-2025-3079 | 2025-05-21 | N/A | 8.7 HIGH | ||
| A passback vulnerability which relates to office/small office multifunction printers and laser printers. | |||||
| CVE-2025-3078 | 2025-05-21 | N/A | 8.7 HIGH | ||
| A passback vulnerability which relates to production printers and office multifunction printers. | |||||
| CVE-2022-39168 | 1 Ibm | 3 Robotic Process Automation, Robotic Process Automation For Cloud Pak, Robotic Process Automation For Services | 2025-05-20 | N/A | 7.5 HIGH |
| IBM Robotic Process Automation Clients are vulnerable to proxy credentials being exposed in upgrade logs. IBM X-Force ID: 235422. | |||||
| CVE-2025-27192 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-05-20 | N/A | 2.7 LOW |
| Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-26492 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 7.7 HIGH |
| In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources | |||||
| CVE-2025-4679 | 2025-05-16 | N/A | 6.5 MEDIUM | ||
| A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-42172 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 5.3 MEDIUM |
| HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications. | |||||
| CVE-2023-50291 | 1 Apache | 1 Solr | 2025-05-15 | N/A | 7.5 HIGH |
| Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' | |||||
| CVE-2022-3206 | 1 Passster Project | 1 Passster | 2025-05-14 | N/A | 5.9 MEDIUM |
| The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked. | |||||
| CVE-2019-14840 | 1 Redhat | 1 Decision Manager | 2025-05-13 | N/A | 7.5 HIGH |
| A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials. | |||||
| CVE-2022-28291 | 1 Tenable | 1 Nessus | 2025-05-13 | N/A | 6.5 MEDIUM |
| Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets. | |||||
| CVE-2021-29043 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle attacks or shoulder surfing. | |||||
| CVE-2022-43419 | 1 Jenkins | 1 Katalon | 2025-05-08 | N/A | 6.5 MEDIUM |
| Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-3644 | 2 Pulpproject, Redhat | 4 Pulp Ansible, Ansible Automation Platform, Satellite and 1 more | 2025-05-07 | N/A | 5.5 MEDIUM |
| The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only. | |||||
| CVE-2022-41575 | 1 Gradle | 1 Enterprise | 2025-05-07 | N/A | 7.5 HIGH |
| A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | |||||
| CVE-2024-20282 | 1 Cisco | 1 Nexus Dashboard | 2025-05-07 | N/A | 6.0 MEDIUM |
| A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this vulnerability by using this token to access resources within the device infrastructure. A successful exploit could allow an attacker to gain root access to the filesystem or hosted containers on an affected device. | |||||
| CVE-2025-46820 | 2025-05-07 | N/A | 7.1 HIGH | ||
| phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. | |||||
| CVE-2022-30944 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | N/A | 5.5 MEDIUM |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access. | |||||
| CVE-2022-30601 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | N/A | 9.8 CRITICAL |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access. | |||||