Check CVE Id
Check CWE Id
ASUSTOR ADM 3.1.0.RFQ3 Remote Command Execution / SQL Injection
Yealink VoIP Phone SIP-T38G Default Credentials
Ammyy Admin 3.2 Access Bypass
Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
VMware Security team
Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities
Tandberg E, EX and C Series Endpoints Default Credentials for Root Account
RoomWizard Default Password and Sync Connector Credential Leak
SAP BusinessObjects Axis2 Default Admin Password
HD Moore (HD_Moore rap...
Synology Disk Station Web commands injection
AdPeeps 8.5d1 - XSS and HTML Injection Vulnerabilities
Linksys WAP54Gv3 Remote Debug Root Shell
Chrome Password Manager Cross Origin Weakness
Timothy D. Morgan
evalSMSI 2.1.03 Multiple Input Validation Vulnerabilities
Peter Van Eeckhoutte
HP Operations Agent 8.53 (solaris 10) Remote Unauthorized Access
GNU libc glibc: NIS shadow password
Exposing HMS HICP Protocol + Intellicom Remote Buffer Overflow
news script HB-NS v1.3 Remote Admin Vulnerability
kurdish hackers team
Radio istek scripti 2.5 remote configuration disclosure
kurdish hackers team
Riorey \"RIOS\" Hardcoded Password Vulnerability
Simple Machines Forum <= 1.1.5 Admin Reset Password Exploit (win32)
X10media Mp3 Search Engine <= 1.6 Remote File Disclosure Vulnerability
WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability
Gizmo SSL Certificate Vulnerability
Gabriel Menezes Nunes
Multiple Flaws in Axesstel MV 410R
Multiple Flaws in Huawei D100
Blogator-script 0.95 Change User Password Vulnerbility
PHPRunner SQL Injection
Constructr CMS <= 3.02.5 Stable Multiple Remote Vulnerabilities
Philips VOIP841 Multiple Vulnerabilities
luca carettoni securen...
Windows Mobile 6 insecure password handling and too short WLAN-password
Linksys/Cisco WRT350N 188.8.131.52 Insecure Samba Static Configuration
Thickbox Gallery v2 (admins.php) Admin Data Disclosure Vulnerability
Crafty Syntax Live Help <= 2.14.6 SQL Injection
CVEMAP Search Results
CloudBees Jenkins Operations Center 184.108.40.206, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access to a social media login page.
Platform dependent weakness. This issue only impacts iSeries platforms. On these platforms, in BIG-IP APM versions 14.0.0-220.127.116.11, 13.0.0-18.104.22.168, and 12.1.1 HF2-12.1.4, the secureKeyCapable attribute was not set which causes secure vault to not use the F5 hardware support to store the unit key. Instead the unit key is stored in plaintext on disk as would be the case for Z100 systems. Additionally this causes the unit key to be stored in UCS files taken on these platforms.
AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account.
The Boa server configuration on DASAN H660RM devices with firmware 1.03-0022 logs POST data to the /tmp/boa-temp file, which allows logged-in users to read the credentials of administration web interface users.
When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. OAM volumes (e.g. flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68; 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1.
A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization. Affected products are: Juniper Networks Service Insight versions from 15.1R1, prior to 18.1R1. Service Now versions from 15.1R1, prior to 18.1R1.
If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49.
A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 allows an elevated privileged user to get the admin password of the device.
Back to Top