Total
1172 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34062 | 2025-07-03 | N/A | N/A | ||
| An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration. | |||||
| CVE-2025-6081 | 2025-07-03 | N/A | 6.8 MEDIUM | ||
| Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service. | |||||
| CVE-2024-49364 | 2025-07-03 | N/A | N/A | ||
| tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | |||||
| CVE-2024-50699 | 1 Tp-link | 2 Tl-wr845n, Tl-wr845n Firmware | 2025-07-02 | N/A | 8.0 HIGH |
| TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account. | |||||
| CVE-2025-4679 | 1 Synology | 1 Active Backup For Microsoft 365 | 2025-07-02 | N/A | 6.5 MEDIUM |
| A vulnerability in Synology Active Backup for Microsoft 365 allows remote authenticated attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-51984 | 2025-06-26 | N/A | 6.8 MEDIUM | ||
| An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. | |||||
| CVE-2025-6526 | 2025-06-26 | 1.8 LOW | 3.1 LOW | ||
| A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-29055 | 2025-06-20 | N/A | 7.5 HIGH | ||
| In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials. To avoid this threat, users are recommended to * Always turn on HTTPS so that network payload is encrypted. * Avoid putting credentials in kylin.properties, or at least not in plain text. * Use network firewalls to protect the serverside such that it is not accessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface. | |||||
| CVE-2024-46341 | 1 Tp-link | 2 Tl-wr845n, Tl-wr845n Firmware | 2025-06-20 | N/A | 8.0 HIGH |
| TP-Link TL-WR845N(UN)_V4_190219 was discovered to transmit credentials in base64 encoded form, which can be easily decoded by an attacker executing a man-in-the-middle attack. | |||||
| CVE-2023-50125 | 1 Hozard | 1 Alarm System | 2025-06-20 | N/A | 5.9 MEDIUM |
| A default engineer password set on the Hozard alarm system (Alarmsysteem) v1.0 allows an attacker to bring the alarm system to a disarmed state. | |||||
| CVE-2024-47081 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session. | |||||
| CVE-2025-30183 | 2025-06-12 | N/A | 7.5 HIGH | ||
| CyberData 011209 Intercom does not properly store or protect web server admin credentials. | |||||
| CVE-2025-35941 | 2025-06-12 | N/A | 5.5 MEDIUM | ||
| A password is exposed locally. | |||||
| CVE-2025-33079 | 1 Ibm | 2 Cognos Controller, Controller | 2025-06-09 | N/A | 6.5 MEDIUM |
| IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code. | |||||
| CVE-2023-36266 | 1 Keepersecurity | 2 Keeper, Keeperfill | 2025-06-09 | N/A | 5.5 MEDIUM |
| An issue was discovered in Keeper Password Manager for Desktop version 16.10.2 (fixed in 17.2), and the KeeperFill Browser Extensions version 16.5.4 (fixed in 17.2), allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information). | |||||
| CVE-2021-43978 | 1 Allegro | 1 Allegro | 2025-05-30 | 5.5 MEDIUM | 7.1 HIGH |
| Allegro WIndows 3.3.4152.0, embeds software administrator database credentials into its binary files, which allows users to access and modify data using the same credentials. | |||||
| CVE-2020-8422 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2025-05-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password). | |||||
| CVE-2019-12046 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2025-05-28 | 7.5 HIGH | 9.8 CRITICAL |
| LemonLDAP::NG -2.0.3 has Incorrect Access Control. | |||||
| CVE-2022-41255 | 1 Jenkins | 1 Cons3rt | 2025-05-28 | N/A | 6.5 MEDIUM |
| Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-41247 | 1 Jenkins | 1 Bigpanda Notifier | 2025-05-27 | N/A | 4.3 MEDIUM |
| Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||