Total
70 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2365 | 2024-05-17 | 0.8 LOW | 1.6 LOW | ||
| A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file io\fabric\sdk\android\services\network\PinningTrustManager.java of the component SHA-1 Handler. The manipulation leads to password hash with insufficient computational effort. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-256321 was assigned to this vulnerability. | |||||
| CVE-2023-4986 | 1 Supcon | 1 Inplant Scada | 2024-05-17 | 1.0 LOW | 2.5 LOW |
| A vulnerability classified as problematic was found in Supcon InPlant SCADA up to 20230901. Affected by this vulnerability is an unknown functionality of the file Project.xml. The manipulation leads to password hash with insufficient computational effort. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-239797 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-47557 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-05-17 | N/A | 6.1 MEDIUM |
| Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions. | |||||
| CVE-2024-29886 | 2024-03-28 | N/A | 5.3 MEDIUM | ||
| Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6. | |||||
| CVE-2024-25607 | 2024-02-20 | N/A | 8.1 HIGH | ||
| The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor, which allows attackers to quickly crack password hashes. | |||||
| CVE-2001-0967 | 1 Arkeia | 1 Arkeia | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| Knox Arkeia server 4.2, and possibly other versions, uses a constant salt when encrypting passwords using the crypt() function, which makes it easier for an attacker to conduct brute force password guessing. | |||||
| CVE-2008-1526 | 1 Zyxel | 38 P-660h-61, P-660h-61 Firmware, P-660h-63 and 35 more | 2024-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords. | |||||
| CVE-2005-0408 | 1 Citrusdb | 1 Citrusdb | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable. | |||||
| CVE-2002-1657 | 1 Postgresql | 1 Postgresql | 2024-02-09 | 5.0 MEDIUM | 7.5 HIGH |
| PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. | |||||
| CVE-2006-1058 | 2 Avaya, Busybox | 5 Aura Application Enablement Services, Aura Sip Enablement Services, Message Networking and 2 more | 2024-02-09 | 2.1 LOW | 5.5 MEDIUM |
| BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. | |||||
| CVE-2023-34433 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
| PiiGAB M-Bus stores passwords using a weak hash algorithm. | |||||
| CVE-2023-33243 | 1 Starface | 1 Starface | 2024-02-04 | N/A | 8.1 HIGH |
| RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash. | |||||
| CVE-2022-26115 | 1 Fortinet | 1 Fortisandbox | 2024-02-04 | N/A | 7.5 HIGH |
| A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords. | |||||
| CVE-2023-0567 | 1 Php | 1 Php | 2024-02-04 | N/A | 6.2 MEDIUM |
| In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. | |||||
| CVE-2023-27580 | 1 Codeigniter | 1 Shield | 2024-02-04 | N/A | 5.9 MEDIUM |
| CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds. | |||||
| CVE-2020-12069 | 1 Pilz | 1 Pmc | 2024-02-04 | N/A | 9.8 CRITICAL |
| In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device. | |||||
| CVE-2022-40258 | 1 Ami | 2 Megarac Spx-12, Megarac Spx-13 | 2024-02-04 | N/A | 5.3 MEDIUM |
| AMI Megarac Weak password hashes for Redfish & API | |||||
| CVE-2022-37164 | 1 Ontrack Project | 1 Ontrack | 2024-02-04 | N/A | 9.8 CRITICAL |
| Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes. | |||||
| CVE-2022-37163 | 1 Ihatetobudget Project | 1 Ihatetobudget | 2024-02-04 | N/A | 9.8 CRITICAL |
| Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes. | |||||
| CVE-2022-36071 | 1 Sftpgo Project | 1 Sftpgo | 2024-02-04 | N/A | 8.1 HIGH |
| SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. | |||||