| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials. |
| A Credential Disclosure vulnerability exists where an administrator could extract the stored SMTP account credentials due to lack of encryption. |
| The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core_Fix7 allows remote attackers to reach the administration panel and discover hostname and version information by sending an arbitrary username and a blank password to the /WmAdmin/#/login/ URI. |
| An issue in the storage of NFC card data in Dorset DG 201 Digital Lock H5_433WBSK_v2.2_220605 allows attackers to produce cloned NFC cards to bypass authentication. |
| The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files. |
| phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. |
| Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level. |
| H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface. |
| ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key. |
| ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. |
| With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. |
| GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.). |
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend. |
| A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. |
| The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.
If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials. |
| EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. |
| apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. |
| A security vulnerability in HPE IceWall products could be exploited remotely to cause Unauthorized Data Modification. |
| Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage |
| Utilizing default credentials, an attacker is able to log into the camera's operating system which could allow changes to be made to the operations or shutdown the camera requiring a physical reboot of the system. |
