Show CWE-522: Insufficiently Protected Credentials - CXSecurity.com

	Topic	Date	Author
High	Canon PIXMA TR4550 1.020 / 1.080 Unencrypted Secret Storage	06.08.2023	Manuel Stotz
Med.	WordPress Social-Stream 1.6.0 Twitter API Secret Disclosure	28.05.2017	Kyle Lovett
Med.	Sophos Web Appliance 4.2.1.3 Privilege Escalation	05.11.2016	Matt Bergin
Med.	Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues	13.10.2015	Matthias Deeg
Med.	Netop Remote Control 11.52 / 12.11 Credential Issue	25.08.2015	Matthias Deeg
Low	PicsArt Photo Studio For Android Insecure Management	07.11.2014	Fundacion Dr. Manuel S...
High	Privoxy 3.0.20-1 Proxy Authentication Credential Exposure	12.03.2013	Chris John Riley

CVEMAP Search Results

CVE

Details

Description

2023-09-14

Waiting for details

CVE-2023-41010

Updating...

Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communication Co., Ltd China Telecom Tianyi Home Gateway v.TEWA-700G allows a local attacker to obtain sensitive information via the default password parameter.

2023-08-18

Waiting for details

CVE-2023-40173

Updating...

Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Prior to version 1.0.5 Social media skeleton did not properly salt passwords leaving user passwords susceptible to cracking should an attacker gain access to hashed passwords. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this issue.

2023-06-07

Waiting for details

CVE-2023-29168

Updating...

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.

2023-05-09

	CVE-2023-31136	Updating...	PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
	CVE-2023-28764	Updating...	SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system.

2023-04-26

Waiting for details

CVE-2023-30846

Updating...

typed-rest-client is a library for Node Rest and Http Clients with typings for use with TypeScript. Users of the typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: First, send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler`. Second, the target host may return a redirection (3xx), with a link to a second host. Third, the next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will NOT set the `Authorization` header. The problem was fixed in version 1.8.0. There are no known workarounds.

2023-01-30

	CVE-2022-32518	Updating...	A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32520. Affected Products: Data Center Expert (Versions prior to V7.9.0)
	CVE-2022-32520	Updating...	A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products: Data Center Expert (Versions prior to V7.9.0)

2023-01-17

Waiting for details

CVE-2022-23538

Updating...

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time.

2023-01-07

Waiting for details

CVE-2016-15014

Updating...

A vulnerability has been found in CESNET theme-cesnet up to 1.x and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability.

Copyright 2023, cxsecurity.com