Total
58 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-8542 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains a hashed password string which gets created by the client by asking the user to enter his or her OX Guard password. This parameter is used as single point of authentication when accessing PGP Private Keys. In case a user has set the same password as another user, it is possible to download another user's PGP Private Key by iterating the "id" and "cid" parameters. This kind of attack would also be able by brute-forcing login credentials, but since the "id" and "cid" parameters are sequential they are much easier to predict than a user's login name. At the same time, there are some obvious insecure standard passwords that are widely used. A attacker could send the hashed representation of typically weak passwords and randomly fetch Private Key of matching accounts. The attack can be executed by both internal users and "guests" which use the external mail reader. | |||||
| CVE-2016-10011 | 1 Openbsd | 1 Openssh | 2025-04-12 | 2.1 LOW | 5.5 MEDIUM |
| authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. | |||||
| CVE-2025-3177 | 1 Fastcms Project | 1 Fastcms | 2025-04-08 | 4.6 MEDIUM | 5.0 MEDIUM |
| A vulnerability was found in FastCMS 0.1.5. It has been declared as critical. This vulnerability affects unknown code of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2220 | 1 Odysseyautomation | 1 Odyssey Cms | 2025-03-25 | 1.7 LOW | 3.3 LOW |
| A vulnerability was found in Odyssey CMS up to 10.34. It has been classified as problematic. Affected is an unknown function of the file /modules/odyssey_contact_form/odyssey_contact_form.php of the component reCAPTCHA Handler. The manipulation of the argument g-recaptcha-response leads to key management error. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-10920 | 1 Mariazevedo88 | 1 Travels-java-api | 2024-11-22 | 2.1 LOW | 3.1 LOW |
| A vulnerability was found in mariazevedo88 travels-java-api up to 5.0.1 and classified as problematic. Affected by this issue is the function doFilterInternal of the file travels-java-api-master\src\main\java\io\github\mariazevedo88\travelsjavaapi\filters\JwtAuthenticationTokenFilter.java of the component JWT Secret Handler. The manipulation leads to use of hard-coded cryptographic key . The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-36391 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic | |||||
| CVE-2023-21652 | 1 Qualcomm | 240 Aqt1000, Aqt1000 Firmware, Ar8035 and 237 more | 2024-11-21 | N/A | 7.7 HIGH |
| Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use. | |||||
| CVE-2023-21626 | 1 Qualcomm | 370 Apq8009, Apq8009 Firmware, Apq8017 and 367 more | 2024-11-21 | N/A | 7.1 HIGH |
| Cryptographic issue in HLOS due to improper authentication while performing key velocity checks using more than one key. | |||||
| CVE-2019-9894 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Oncommand Unified Manager and 2 more | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| A remotely triggerable memory overwrite in RSA key exchange in PuTTY before 0.71 can occur before host key verification. | |||||
| CVE-2019-9150 | 1 Mailvelope | 1 Mailvelope | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported. | |||||
| CVE-2019-5885 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users. | |||||
| CVE-2019-5672 | 1 Nvidia | 2 Jetson Tx1, Jetson Tx2 | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| NVIDIA Jetson TX1 and TX2 contain a vulnerability in the Linux for Tegra (L4T) operating system (on all versions prior to R28.3) where the Secure Shell (SSH) keys provided in the sample rootfs are not replaced by unique host keys after sample rootsfs generation and flashing, which may lead to information disclosure. | |||||
| CVE-2019-14222 | 1 Alfresco | 1 Alfresco | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default installations. An attacker could exploit this vulnerability by using the extracted private key and bundling it into a PKCS12. A successful exploit could allow the attacker to gain information about the target system (e.g., OS type, system file locations, Java version, Solr version, etc.) as well as the ability to launch further attacks by leveraging the access to Alfresco's Solr Web Admin Interface. | |||||
| CVE-2019-10851 | 1 Computrols | 1 Computrols Building Automation Software | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Computrols CBAS 18.0.0 has hard-coded encryption keys. | |||||
| CVE-2019-10643 | 1 Contao | 1 Contao Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Contao 4.7 allows Use of a Key Past its Expiration Date. | |||||
| CVE-2019-10112 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The construction of the HMAC key was insecurely derived. | |||||
| CVE-2019-1020004 | 1 Tridactyl Project | 1 Tridactyl | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Tridactyl before 1.16.0 allows fake key events. | |||||
| CVE-2018-9234 | 2 Canonical, Gnupg | 2 Ubuntu Linux, Gnupg | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. | |||||
| CVE-2018-7559 | 1 Opcfoundation | 2 Ua-.net-legacy, Ua-.netstandard | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack. | |||||
| CVE-2018-7534 | 1 Unisys | 1 Stealth Authorization Server | 2024-11-21 | 1.9 LOW | 4.7 MEDIUM |
| In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth Solution, an encryption key may be left in memory. | |||||