Export limit exceeded: 360229 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (4585 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50634 | 2 Sbond, Sbondco | 2 Watcharr, Watcharr | 2024-11-14 | 8.8 High |
| A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication. | ||||
| CVE-2024-47529 | 1 Openc3 | 1 Cosmos | 2024-11-13 | 6.5 Medium |
| OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). This vulnerability is fixed in 5.19.0. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition. | ||||
| CVE-2024-10523 | 1 Tp-link | 2 Tapo H100, Tapo H100 Firmware | 2024-11-08 | 4.6 Medium |
| This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device. | ||||
| CVE-2024-38408 | 1 Qualcomm | 470 315 5g Iot Modem, 315 5g Iot Modem Firmware, Aqt1000 and 467 more | 2024-11-08 | 8.2 High |
| Cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions. | ||||
| CVE-2024-7783 | 2 Miniplex Labs, Mintplexlabs | 2 Miniplex Labs\/anything Lim, Anythingllm | 2024-10-31 | 7.5 High |
| mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3. | ||||
| CVE-2024-8013 | 1 Mongodb | 2 Mongo Crypt V1.so, Mongocryptd | 2024-10-31 | 2.2 Low |
| A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions. | ||||
| CVE-2024-47124 | 1 Gotenna | 1 Gotenna Pro | 2024-10-17 | 4.3 Medium |
| The goTenna Pro App does not encrypt callsigns in messages. It is recommended to not use sensitive information in callsigns when using this and previous versions of the app and update your app to the current app version which uses AES-256 encryption for callsigns in encrypted operation. | ||||
| CVE-2024-45838 | 1 Gotenna | 2 Gotenna, Pro Atak Plugin | 2024-10-17 | 4.3 Medium |
| The goTenna Pro ATAK Plugin does not encrypt callsigns in messages. It is advised to not use sensitive information in callsigns when using this and previous versions of the plugin. Update to current plugin version which uses AES-256 encryption for callsigns in encrypted operation | ||||
| CVE-2024-47871 | 1 Gradio Project | 1 Gradio | 2024-10-17 | 9.1 Critical |
| Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication. | ||||
| CVE-2024-47833 | 1 Avaiga | 1 Taipy | 2024-10-16 | 6.5 Medium |
| Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-20448 | 1 Cisco | 1 Nexus Dashboard Fabric Controller | 2024-10-08 | 6.3 Medium |
| A vulnerability in the Cisco Nexus Dashboard Fabric Controller (NDFC) software, formerly Cisco Data Center Network Manager (DCNM), could allow an attacker with access to a backup file to view sensitive information. This vulnerability is due to the improper storage of sensitive information within config only and full backup files. An attacker could exploit this vulnerability by parsing the contents of a backup file that is generated from an affected device. A successful exploit could allow the attacker to access sensitive information, including NDFC-connected device credentials, the NDFC site manager private key, and the scheduled backup file encryption key. | ||||
| CVE-2024-8459 | 2 Planet, Planet Technology Corp | 6 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 3 more | 2024-10-04 | 7.2 High |
| Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials. | ||||
| CVE-2024-42495 | 1 Echostar | 2 Fusion, Hughes Wl3000 | 2024-10-04 | 6.5 Medium |
| Credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data. | ||||
| CVE-2024-25661 | 1 Infinera | 1 Tnms | 2024-10-04 | 7.7 High |
| In Infinera TNMS (Transcend Network Management System) 19.10.3, cleartext storage of sensitive information in memory of the desktop application TNMS Client allows guest OS administrators to obtain various users' passwords by reading memory dumps of the desktop application. | ||||
| CVE-2024-45862 | 2 Kastle, Kastlesystems | 3 Access Control System, Access Control System Firmware, Access Control System Firmware | 2024-09-30 | 7.5 High |
| Kastle Systems firmware prior to May 1, 2024, stored machine credentials in cleartext, which may allow an attacker to access sensitive information. | ||||
| CVE-2024-6785 | 1 Moxa | 2 Mxview One, Mxview One Central Manager | 2024-09-27 | 5.5 Medium |
| The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused due to sensitive information exposure. | ||||
| CVE-2024-9040 | 1 Code-projects | 1 Blood Bank Management System | 2024-09-27 | 2.3 Low |
| A vulnerability, which was classified as problematic, was found in code-projects Blood Bank Management System 1.0. This affects an unknown part of the component Password Handler. The manipulation leads to cleartext storage in a file or on disk. An attack has to be approached locally. | ||||
| CVE-2024-43180 | 1 Ibm | 1 Concert | 2024-09-20 | 4.3 Medium |
| IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2024-20503 | 1 Cisco | 1 Duo Authentication For Epic | 2024-09-13 | 5.5 Medium |
| A vulnerability in Cisco Duo Epic for Hyperdrive could allow an authenticated, local attacker to view sensitive information in cleartext on an affected system. This vulnerability is due to improper storage of an unencrypted registry key. A low-privileged attacker could exploit this vulnerability by viewing or querying the registry key on the affected system. A successful exploit could allow the attacker to view sensitive information in cleartext. | ||||
| CVE-2021-22509 | 1 Microfocus | 1 Netiq Advanced Authentication | 2024-09-13 | 8.1 High |
| A vulnerability identified in storing and reusing information in Advance Authentication. This issue can lead to leakage of sensitive data to unauthorized user. The issue affects NetIQ Advance Authentication before 6.3.5.1 | ||||