Total
1112 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44758 | 1 Hcltech | 1 Bigfix Insights For Vulnerability Remediation | 2024-11-21 | N/A | 6.5 MEDIUM |
| BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly authorized. | |||||
| CVE-2022-44757 | 1 Hcltech | 1 Bigfix Insights For Vulnerability Remediation | 2024-11-21 | N/A | 6.5 MEDIUM |
| BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc. | |||||
| CVE-2022-42451 | 1 Hcltech | 1 Bigfix Patch Management | 2024-11-21 | N/A | 4.6 MEDIUM |
| Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user. | |||||
| CVE-2022-41933 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 6.2 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the "Forgot your password" link in the login view: the features allowing a user to change their password, or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing to perform data leak of personal data from users, such as GHSA-599v-w48h-rjrm. Note that this vulnerability only concerns the users of the main wiki: in case of farms, the users registered on subwiki are not impacted thanks to a bug we discovered when investigating this. The problem has been patched in version 14.6RC1, 14.4.3 and 13.10.8. The patch involves a migration of the impacted users as well as the history of the page, to ensure no password remains in plain text in the database. This migration also involves to inform the users about the possible disclosure of their passwords: by default, two emails are automatically sent to the impacted users. A first email to inform about the possibility that their password have been leaked, and a second email using the reset password feature to ask them to set a new password. It's also possible for administrators to set some properties for the migration: it's possible to decide if the user password should be reset (default) or if the passwords should be kept but only hashed. Note that in the first option, the users won't be able to login anymore until they set a new password if they were impacted. Note that in both options, mails will be sent to users to inform them and encourage them to change their passwords. | |||||
| CVE-2022-41732 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 6.2 MEDIUM |
| IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 237407. | |||||
| CVE-2022-41614 | 1 Intel | 1 On Event Series | 2024-11-21 | N/A | 5.5 MEDIUM |
| Insufficiently protected credentials in the Intel(R) ON Event Series Android application before version 2.0 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-41255 | 1 Jenkins | 1 Cons3rt | 2024-11-21 | N/A | 6.5 MEDIUM |
| Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-41247 | 1 Jenkins | 1 Bigpanda Notifier | 2024-11-21 | N/A | 4.3 MEDIUM |
| Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-40751 | 1 Ibm | 1 Urbancode Deploy | 2024-11-21 | N/A | 4.9 MEDIUM |
| IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with administrative privileges including "Manage Security" permissions may be able to recover a credential previously saved for performing authenticated LDAP searches. IBM X-Force ID: 236601. | |||||
| CVE-2022-40685 | 1 Intel | 1 Data Center Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
| Insufficiently protected credentials in the Intel(R) DCM software before version 5.0.1 may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2022-40678 | 1 Fortinet | 1 Fortinac | 2024-11-21 | N/A | 7.4 HIGH |
| An insufficiently protected credentials in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow a local attacker with database access to recover user passwords. | |||||
| CVE-2022-3474 | 1 Google | 1 Bazel | 2024-11-21 | N/A | 4.3 MEDIUM |
| A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3. | |||||
| CVE-2022-39820 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-11-21 | N/A | 6.5 MEDIUM |
| In Network Element Manager in NOKIA NFM-T R19.9, an Unprotected Storage of Credentials vulnerability occurs under /root/RestUploadManager.xml.DRC and /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml. A remote user, authenticated to the operating system, with access privileges to the directory /root or /DEPOT, is able to read cleartext credentials to access the web portal NFM-T and control all the PPS Network elements. | |||||
| CVE-2022-39816 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | N/A | 6.5 MEDIUM |
| In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (cleartext administrator password) occur in the edit configuration page. Exploitation requires an authenticated attacker. | |||||
| CVE-2022-38665 | 1 Jenkins | 1 Collabnet | 2024-11-21 | N/A | 6.5 MEDIUM |
| Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-38663 | 1 Jenkins | 1 Git | 2024-11-21 | N/A | 6.5 MEDIUM |
| Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. | |||||
| CVE-2022-38469 | 1 Ge | 1 Proficy Historian | 2024-11-21 | N/A | 7.5 HIGH |
| An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords. | |||||
| CVE-2022-38465 | 1 Siemens | 89 Simatic Drive Controller Cpu 1504d Tf, Simatic Drive Controller Cpu 1504d Tf Firmware, Simatic Drive Controller Cpu 1507d Tf and 86 more | 2024-11-21 | N/A | 9.3 CRITICAL |
| A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.5.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.9.2), SIMATIC S7-1500 Software Controller (All versions < V21.9), SIMATIC S7-PLCSIM Advanced (All versions < V4.0), SINUMERIK MC (All versions < V6.21), SINUMERIK ONE (All versions < V6.21). Affected products protect the built-in global private key in a way that cannot be considered sufficient any longer. The key is used for the legacy protection of confidential configuration data and the legacy PG/PC and HMI communication. This could allow attackers to discover the private key of a CPU product family by an offline attack against a single CPU of the family. Attackers could then use this knowledge to extract confidential configuration data from projects that are protected by that key or to perform attacks against legacy PG/PC and HMI communication. | |||||
| CVE-2022-38121 | 1 Upspowercom | 1 Upsmon Pro | 2024-11-21 | N/A | 6.5 MEDIUM |
| UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file. | |||||
| CVE-2022-37783 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 7.5 HIGH |
| All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. | |||||