Vulnerabilities (CVE)

Filtered by CWE-522
Total 1121 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-15272 1 Psftp 1 Psftpd 2025-04-20 2.1 LOW 5.3 MEDIUM
The PSFTPd 10.0.4 Build 729 server stores its configuration inside PSFTPd.dat. This file is a Microsoft Access Database and can be extracted. The application sets the encrypt flag with the password "ITsILLEGAL"; however, this password is not required to extract the data. Cleartext is used for a user password.
CVE-2017-6528 1 Dnatools 1 Dnalims 2025-04-20 4.3 MEDIUM 8.1 HIGH
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file).
CVE-2017-7524 1 Tpm2-tools Project 1 Tpm2.0-tools 2025-04-20 5.0 MEDIUM 7.5 HIGH
tpm2-tools versions before 1.1.1 are vulnerable to a password leak due to transmitting password in plaintext from client to server when generating HMAC.
CVE-2017-6709 1 Cisco 1 Ultra Services Framework 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
A vulnerability in the AutoVNF tool for the Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments in an affected system. The vulnerability exists because the affected software logs administrative credentials in clear text for Cisco ESC and Cisco OpenStack deployment purposes. An attacker could exploit this vulnerability by accessing the AutoVNF URL for the location where the log files are stored and subsequently accessing the administrative credentials that are stored in clear text in those log files. This vulnerability affects all releases of the Cisco Ultra Services Framework prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76659.
CVE-2017-6028 1 Schneider-electric 4 Modicon M241, Modicon M241 Firmware, Modicon M251 and 1 more 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application.
CVE-2017-1378 1 Ibm 1 Tivoli Storage Manager 2025-04-20 2.1 LOW 7.8 HIGH
IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) disclosed unencrypted login credentials to Vmware vCenter in the application trace output which could be obtained by a local user. IBM X-Force ID: 126875.
CVE-2017-5700 1 Intel 10 Nuc7i3bnh, Nuc7i3bnh Firmware, Nuc7i3bnk and 7 more 2025-04-20 7.2 HIGH 8.4 HIGH
Insufficient protection of password storage in system firmware for Intel NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attackers to bypass Administrator and User passwords via access to password storage.
CVE-2017-8371 1 Schneider-electric 1 Struxureware Data Center Expert 2025-04-20 4.0 MEDIUM 6.8 MEDIUM
Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.
CVE-2017-17106 1 Zivif 2 Pr115-204-p-rs, Pr115-204-p-rs Firmware 2025-04-20 10.0 HIGH 9.8 CRITICAL
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages.
CVE-2017-13771 1 Lexmark 1 Scan To Network 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configuration credentials in plaintext and transmits them in requests, which allows remote attackers to obtain sensitive information via requests to (1) cgi-bin/direct/printer/prtappauth/apps/snfDestServlet or (2) cgi-bin/direct/printer/prtappauth/apps/ImportExportServlet.
CVE-2017-8222 1 Wificam 2 Wireless Ip Camera \(p2p\), Wireless Ip Camera \(p2p\) Firmware 2025-04-20 5.0 MEDIUM 7.5 HIGH
Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.
CVE-2017-9248 2 Progress, Telerik 2 Sitefinity, Ui For Asp.net Ajax 2025-04-20 7.5 HIGH 9.8 CRITICAL
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
CVE-2017-6694 1 Cisco 1 Ultra Services Platform 2025-04-20 2.1 LOW 5.5 MEDIUM
A vulnerability in the Virtual Network Function Manager's (VNFM) logging function of Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive data (cleartext credentials) on an affected system. More Information: CSCvd29355. Known Affected Releases: 21.0.v0.65839.
CVE-2016-9360 1 Ge 3 Cimplicity, Historian, Ifix 2025-04-20 4.4 MEDIUM 6.7 MEDIUM
An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session.
CVE-2017-11349 1 Datataker 2 Dt8x, Dt8x Firmware 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sending e-mail messages or making outbound connections to FTP servers for uploading data.
CVE-2017-7913 1 Moxa 12 Oncell 5004-hspa, Oncell 5004-hspa Firmware, Oncell 5104-hsdpa and 9 more 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
A Plaintext Storage of a Password issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application's configuration file contains parameters that represent passwords in plaintext.
CVE-2017-1362 1 Ibm 1 Security Identity Manager 2025-04-20 2.1 LOW 7.8 HIGH
IBM Security Identity Manager Adapters 6.0 and 7.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 126801.
CVE-2017-7905 1 Ge 20 Multilin Sr 369 Motor Protection Relay, Multilin Sr 369 Motor Protection Relay Firmware, Multilin Sr 469 Motor Protection Relay and 17 more 2025-04-20 5.0 MEDIUM 9.8 CRITICAL
A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.
CVE-2017-9557 1 Echatserver 1 Easy Chat Server 2025-04-20 5.0 MEDIUM 7.5 HIGH
register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to discover passwords by sending the username parameter in conjunction with an empty password parameter, and reading the HTML source code of the response.
CVE-2017-14711 1 Kickbase 1 Bundesliga Manager 2025-04-20 4.3 MEDIUM 8.1 HIGH
The Kickbase GmbH "Kickbase Bundesliga Manager" app before 2.2.1 -- aka kickbase-bundesliga-manager/id678241305 -- for iOS is vulnerable to a credentials leak due to transmitting a username and password in cleartext from client to server during registration and authentication.