Total
1273 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34311 | 1 Ibm | 1 Cics Tx | 2025-05-06 | 4.3 Medium |
| IBM CICS TX Standard and Advanced 11.1 could allow a user with physical access to the web browser to gain access to the user's session due to insufficiently protected credentials. IBM X-Force ID: 229446. | ||||
| CVE-2022-30944 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | 5.5 Medium |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2022-30601 | 1 Intel | 2 Active Management Technology Firmware, Standard Manageability | 2025-05-05 | 9.8 Critical |
| Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access. | ||||
| CVE-2021-33107 | 1 Intel | 446 Active Management Technology Software Development Kit, B150, B250 and 443 more | 2025-05-05 | 4.6 Medium |
| Insufficiently protected credentials in USB provisioning for Intel(R) AMT SDK before version 16.0.3, Intel(R) SCS before version 12.2 and Intel(R) MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 may allow an unauthenticated user to potentially enable information disclosure via physical access. | ||||
| CVE-2022-3781 | 1 Devolutions | 2 Devolutions Server, Remote Desktop Manager | 2025-05-05 | 6.5 Medium |
| Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote Desktop Manager 2022.2.26 and prior versions. Devolutions Server 2022.3.1 and prior versions. | ||||
| CVE-2024-45004 | 1 Linux | 1 Linux Kernel | 2025-05-04 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix leak of blob encryption key Trusted keys unseal the key blob on load, but keep the sealed payload in the blob field so that every subsequent read (export) will simply convert this field to hex and send it to userspace. With DCP-based trusted keys, we decrypt the blob encryption key (BEK) in the Kernel due hardware limitations and then decrypt the blob payload. BEK decryption is done in-place which means that the trusted key blob field is modified and it consequently holds the BEK in plain text. Every subsequent read of that key thus send the plain text BEK instead of the encrypted BEK to userspace. This issue only occurs when importing a trusted DCP-based key and then exporting it again. This should rarely happen as the common use cases are to either create a new trusted key and export it, or import a key blob and then just use it without exporting it again. Fix this by performing BEK decryption and encryption in a dedicated buffer. Further always wipe the plain text BEK buffer to prevent leaking the key via uninitialized memory. | ||||
| CVE-2024-29992 | 1 Microsoft | 1 Azure Identity Library For .net | 2025-05-03 | 5.5 Medium |
| Azure Identity Library for .NET Information Disclosure Vulnerability | ||||
| CVE-2022-37109 | 1 Camp Project | 1 Camp | 2025-05-01 | 9.8 Critical |
| patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie. | ||||
| CVE-2022-38121 | 1 Upspowercom | 1 Upsmon Pro | 2025-05-01 | 6.5 Medium |
| UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file. | ||||
| CVE-2024-40710 | 1 Veeam | 2 Backup \& Replication, Veeam Backup \& Replication | 2025-05-01 | 8.8 High |
| A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication. | ||||
| CVE-2022-45384 | 1 Jenkins | 1 Reverse Proxy Auth | 2025-04-30 | 6.5 Medium |
| Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | ||||
| CVE-2022-45392 | 1 Jenkins | 1 Ns-nd Integration Performance Publisher | 2025-04-30 | 6.5 Medium |
| Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | ||||
| CVE-2022-40751 | 1 Ibm | 1 Urbancode Deploy | 2025-04-29 | 4.9 Medium |
| IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with administrative privileges including "Manage Security" permissions may be able to recover a credential previously saved for performing authenticated LDAP searches. IBM X-Force ID: 236601. | ||||
| CVE-2022-29833 | 1 Mitsubishielectric | 1 Gx Works3 | 2025-04-25 | 6.8 Medium |
| Insufficiently Protected Credentials vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could access to MELSEC safety CPU modules illgally. | ||||
| CVE-2025-32963 | 2025-04-25 | N/A | ||
| MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0. | ||||
| CVE-2022-42445 | 1 Hcltechsw | 1 Hcl Launch | 2025-04-25 | 4.9 Medium |
| HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches. | ||||
| CVE-2022-41732 | 1 Ibm | 1 Maximo Application Suite | 2025-04-25 | 6.2 Medium |
| IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 237407. | ||||
| CVE-2024-42457 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | 6.5 Medium |
| A vulnerability in Veeam Backup & Replication allows users with certain operator roles to expose saved credentials by leveraging a combination of methods in a remote management interface. This can be achieved using a session object that allows for credential enumeration and exploitation, leading to the leak of plaintext credentials to a malicious host. The attack is facilitated by improper usage of a method that allows operators to add a new host with an attacker-controlled IP, enabling them to retrieve sensitive credentials in plaintext. | ||||
| CVE-2022-43442 | 1 Fsi | 2 Fs040u, Fs040u Firmware | 2025-04-24 | 4.6 Medium |
| Plaintext storage of a password vulnerability exists in +F FS040U software versions v2.3.4 and earlier, which may allow an attacker to obtain the login password of +F FS040U and log in to the management console. | ||||
| CVE-2022-24867 | 1 Glpi-project | 1 Glpi | 2025-04-23 | 7.5 High |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue. | ||||