CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-312

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-42763 312 2021-11-02 2021-11-08
5.0
None Remote Low Not required Partial None None
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
2 CVE-2021-42370 312 2021-11-08 2021-11-10
4.3
None Remote Medium Not required Partial None None
A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)
3 CVE-2021-41023 312 2021-11-02 2021-11-04
2.1
None Local Low Not required Partial None None
A unprotected storage of credentials in Fortinet FortiSIEM Windows Agent version 4.1.4 and below allows an authenticated user to disclosure agent password due to plaintext credential storage in log files
4 CVE-2021-40527 312 2021-10-25 2021-10-28
5.0
None Remote Low Not required Partial None None
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.
5 CVE-2021-40454 312 2021-10-13 2021-10-19
2.1
None Local Low Not required Partial None None
Rich Text Edit Control Information Disclosure Vulnerability
6 CVE-2021-40087 312 2021-08-25 2021-09-07
4.0
None Remote Low ??? Partial None None
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.
7 CVE-2021-38949 312 2021-11-16 2021-11-17
2.1
None Local Low Not required Partial None None
IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 211403.
8 CVE-2021-38915 312 2021-10-12 2021-10-18
4.0
None Remote Low ??? Partial None None
IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947.
9 CVE-2021-38911 312 2021-10-19 2021-10-22
4.0
None Remote Low ??? Partial None None
IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.
10 CVE-2021-38422 312 2021-11-03 2021-11-05
4.6
None Local Low Not required Partial Partial Partial
Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges.
11 CVE-2021-37842 312 +Info 2021-11-02 2021-11-08
5.0
None Remote Low Not required Partial None None
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.
12 CVE-2021-37548 312 2021-08-06 2021-08-12
5.0
None Remote Low Not required Partial None None
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.
13 CVE-2021-37157 312 2021-11-10 2021-11-12
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext.
14 CVE-2021-36165 312 2021-09-28 2021-10-08
5.0
None Remote Low Not required Partial None None
RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.
15 CVE-2021-36158 312 2021-07-05 2021-07-08
4.3
None Remote Medium Not required Partial None None
In the xrdp package (in branches through 3.14) for Alpine Linux, RDP sessions are vulnerable to man-in-the-middle attacks because pre-generated RSA certificates and private keys are used.
16 CVE-2021-36096 312 2021-09-06 2021-09-13
4.0
None Remote Low ??? Partial None None
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
17 CVE-2021-33716 312 2021-09-14 2021-09-23
3.3
None Local Network Low Not required Partial None None
A vulnerability has been identified in SIMATIC CP 1543-1 (incl. SIPLUS variants) (All versions < V3.0), SIMATIC CP 1545-1 (All versions). An attacker with access to the subnet of the affected device could retrieve sensitive information stored in cleartext.
18 CVE-2021-33325 312 2021-08-03 2021-08-11
4.0
None Remote Low ??? Partial None None
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
19 CVE-2021-33323 312 2021-08-03 2021-08-11
5.0
None Remote Low Not required Partial None None
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
20 CVE-2021-31989 312 2021-08-25 2021-09-01
3.5
None Remote Medium ??? Partial None None
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. The memory dump may potentially contain credentials of connected Axis devices.
21 CVE-2021-31820 312 2021-08-18 2021-08-25
5.0
None Remote Low Not required Partial None None
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
22 CVE-2021-31817 312 2021-07-08 2021-07-12
5.0
None Remote Low Not required Partial None None
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
23 CVE-2021-31816 312 2021-07-08 2021-07-12
5.0
None Remote Low Not required Partial None None
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
24 CVE-2021-31581 312 2021-07-22 2021-08-04
2.1
None Local Low Not required Partial None None
The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
25 CVE-2021-31539 312 2021-04-23 2021-05-01
2.1
None Local Low Not required Partial None None
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
26 CVE-2021-30183 312 2021-05-14 2021-05-25
5.0
None Remote Low Not required Partial None None
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
27 CVE-2021-29956 312 2021-06-24 2021-06-30
4.3
None Remote Medium Not required Partial None None
OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.
28 CVE-2021-29954 312 2021-06-24 2021-06-30
5.0
None Remote Low Not required Partial None None
Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210428201255.
29 CVE-2021-29950 312 2021-06-24 2021-06-25
5.0
None Remote Low Not required Partial None None
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.
30 CVE-2021-29904 312 2021-09-23 2021-09-27
2.1
None Local Low Not required Partial None None
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI displays user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 207610.
31 CVE-2021-29786 312 2021-10-27 2021-11-01
4.0
None Remote Low ??? Partial None None
IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. IBM X-Force ID: 203172.
32 CVE-2021-29683 312 2021-05-20 2021-05-24
4.0
None Remote Low ??? Partial None None
IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 199998.
33 CVE-2021-29481 312 XSS 2021-06-29 2021-07-07
5.0
None Remote Low Not required Partial None None
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. For this to be a vulnerability, some kind of sensitive data would need to be stored in the session and the session cookie would have to leak. For example, the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allowed capture of the cookies. As of version 1.9.0, a securely randomly generated signing key is used. As a workaround, one may supply an encryption key, as per the documentation recommendation.
34 CVE-2021-28979 312 Http R.Spl. 2021-06-16 2021-07-15
4.3
None Remote Medium Not required Partial None None
SafeNet KeySecure Management Console 8.12.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked.
35 CVE-2021-28937 312 2021-03-29 2021-04-02
5.0
None Remote Low Not required Partial None None
The /password.html page of the Web management interface of the Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) contains the administrator account password in plaintext. The page can be intercepted on HTTP.
36 CVE-2021-28858 312 2021-06-15 2021-06-23
2.1
None Local Low Not required Partial None None
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 does not use SSL by default. Attacker on the local network can monitor traffic and capture the cookie and other sensitive information.
37 CVE-2021-28374 312 2021-03-15 2021-05-17
5.0
None Remote Low Not required Partial None None
The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).
38 CVE-2021-27549 312 2021-02-22 2021-02-26
5.0
None Remote Low Not required Partial None None
** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings > Device screen.
39 CVE-2021-27487 312 2021-06-16 2021-06-22
2.1
None Local Low Not required Partial None None
ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products contain credentials stored in plaintext. This could allow an attacker to gain access to sensitive information.
40 CVE-2021-27233 312 2021-02-16 2021-02-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. On the admin portal of the web application, password information for external systems is visible in cleartext. The Settings.asp page is affected by this issue.
41 CVE-2021-27210 312 2021-02-13 2021-02-19
4.0
None Remote Low ??? Partial None None
TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI.
42 CVE-2021-27205 312 2021-02-12 2021-09-08
2.1
None Local Low Not required Partial None None
Telegram before 7.4 (212543) Stable on macOS stores the local copy of self-destructed messages in a sandbox path, leading to sensitive information disclosure.
43 CVE-2021-27204 312 2021-02-12 2021-09-08
2.1
None Local Low Not required Partial None None
Telegram before 7.4 (212543) Stable on macOS stores the local passcode in cleartext, leading to information disclosure.
44 CVE-2021-27178 312 2021-02-10 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered on FiberHome HG6245D devices through RP2613. Some passwords are stored in cleartext in nvram.
45 CVE-2021-27176 312 2021-02-10 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions.
46 CVE-2021-27175 312 2021-02-10 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.
47 CVE-2021-27174 312 2021-02-10 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered on FiberHome HG6245D devices through RP2613. wifi_custom.cfg has cleartext passwords and 0644 permissions.
48 CVE-2021-27140 312 2021-02-10 2021-02-12
5.0
None Remote Low Not required Partial None None
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to find passwords and authentication cookies stored in cleartext in the web.log HTTP logs.
49 CVE-2021-26833 312 2021-04-06 2021-04-14
4.3
None Remote Medium Not required Partial None None
Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.
50 CVE-2021-26595 312 2021-02-23 2021-03-01
5.0
None Remote Low Not required Partial None None
** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Total number of vulnerabilities : 246   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.