| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-31004 |
312 |
|
|
2022-06-02 |
2022-06-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch. |
|
2 |
CVE-2022-29868 |
312 |
|
Bypass |
2022-05-09 |
2022-05-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password. |
|
3 |
CVE-2022-29620 |
312 |
|
|
2022-06-07 |
2022-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
** DISPUTED ** FileZilla v3.59.0 allows attackers to obtain cleartext passwords of connected SSH or FTP servers via a memory dump.- NOTE: the vendor does not consider this a vulnerability. |
|
4 |
CVE-2022-28214 |
312 |
|
|
2022-05-11 |
2022-05-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability. |
|
5 |
CVE-2022-28162 |
312 |
|
|
2022-05-09 |
2022-05-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text. |
|
6 |
CVE-2022-26778 |
312 |
|
|
2022-03-10 |
2022-03-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration. This could allow a Windows user (who has sufficient privileges) to access a network file system that they were not authorized to access. |
|
7 |
CVE-2022-26148 |
312 |
|
|
2022-03-21 |
2022-05-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. |
|
8 |
CVE-2022-25160 |
312 |
|
|
2022-04-01 |
2022-06-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user’s system. |
|
9 |
CVE-2022-25158 |
312 |
|
|
2022-04-01 |
2022-06-02 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext. |
|
10 |
CVE-2022-23236 |
312 |
|
|
2022-06-02 |
2022-06-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users. |
|
11 |
CVE-2022-23234 |
312 |
|
|
2022-03-16 |
2022-03-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials. |
|
12 |
CVE-2022-23129 |
312 |
|
|
2022-01-21 |
2022-01-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information. |
|
13 |
CVE-2022-22789 |
312 |
|
|
2022-01-25 |
2022-02-01 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Charactell - FormStorm Enterprise Account takeover – An attacker can modify (add, remove and update) passwords file for all the users. The xx_users.ini file in the FormStorm folder contains usernames in cleartext and an obfuscated password. Malicious user can take over an account by replacing existing password in the file. |
|
14 |
CVE-2022-22484 |
312 |
|
+Info |
2022-05-17 |
2022-05-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history. By accessing browser history, an attacker could exploit this vulnerability to obtain other user accounts' passwords. IBM X-Force ID: 226322. |
|
15 |
CVE-2022-21818 |
312 |
|
+Priv |
2022-02-15 |
2022-02-23 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges, resulting in limited impact to both confidentiality and integrity. |
|
16 |
CVE-2022-20660 |
312 |
|
+Info |
2022-01-14 |
2022-01-22 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in the information storage architecture of several Cisco IP Phone models could allow an unauthenticated, physical attacker to obtain confidential information from an affected device. This vulnerability is due to unencrypted storage of confidential information on an affected device. An attacker could exploit this vulnerability by physically extracting and accessing one of the flash memory chips. A successful exploit could allow the attacker to obtain confidential information from the device, which could be used for subsequent attacks. |
|
17 |
CVE-2022-0835 |
312 |
|
|
2022-04-11 |
2022-04-18 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user. |
|
18 |
CVE-2021-45491 |
312 |
|
|
2022-03-28 |
2022-03-31 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
3CX System through 2022-03-17 stores cleartext passwords in a database. |
|
19 |
CVE-2021-45025 |
312 |
|
|
2022-06-17 |
2022-06-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie. |
|
20 |
CVE-2021-43590 |
312 |
|
|
2022-03-04 |
2022-03-12 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. A local high privileged malicious user may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. |
|
21 |
CVE-2021-43388 |
312 |
|
|
2021-12-14 |
2021-12-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. The issue is addressed by ensuring that the allowBackup flag (in the manifest) is False. |
|
22 |
CVE-2021-42763 |
312 |
|
|
2021-11-02 |
2021-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request. |
|
23 |
CVE-2021-42642 |
312 |
|
|
2022-02-02 |
2022-02-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability that allows an unauthenticated attacker to disclose the plaintext console username and password for a printer. |
|
24 |
CVE-2021-42370 |
312 |
|
|
2021-11-08 |
2022-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.) |
|
25 |
CVE-2021-42066 |
312 |
|
|
2021-12-14 |
2022-01-21 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able to completely compromise confidentiality, integrity, and availability of the application. |
|
26 |
CVE-2021-41639 |
312 |
|
|
2022-06-24 |
2022-07-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file. |
|
27 |
CVE-2021-41090 |
312 |
|
|
2021-12-08 |
2022-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API. |
|
28 |
CVE-2021-40527 |
312 |
|
|
2021-10-25 |
2021-10-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application. |
|
29 |
CVE-2021-40454 |
312 |
|
|
2021-10-13 |
2021-10-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Rich Text Edit Control Information Disclosure Vulnerability |
|
30 |
CVE-2021-40363 |
312 |
|
|
2022-02-09 |
2022-05-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions >= V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The affected component stores the credentials of a local system account in a potentially publicly accessible project file using an outdated cipher algorithm. An attacker may use this to brute force the credentials and take over the system. |
|
31 |
CVE-2021-40087 |
312 |
|
|
2021-08-25 |
2021-09-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST. |
|
32 |
CVE-2021-39078 |
312 |
|
|
2022-04-19 |
2022-04-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215589. |
|
33 |
CVE-2021-38949 |
312 |
|
|
2021-11-16 |
2021-11-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 211403. |
|
34 |
CVE-2021-38915 |
312 |
|
|
2021-10-12 |
2021-10-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947. |
|
35 |
CVE-2021-38911 |
312 |
|
|
2021-10-19 |
2021-10-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940. |
|
36 |
CVE-2021-38422 |
312 |
|
|
2021-11-03 |
2021-11-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges. |
|
37 |
CVE-2021-37842 |
312 |
|
+Info |
2021-11-02 |
2021-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it. |
|
38 |
CVE-2021-37548 |
312 |
|
|
2021-08-06 |
2021-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS. |
|
39 |
CVE-2021-37157 |
312 |
|
|
2021-11-10 |
2021-11-12 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext. |
|
40 |
CVE-2021-36460 |
312 |
|
|
2022-04-25 |
2022-05-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless. |
|
41 |
CVE-2021-36165 |
312 |
|
|
2021-09-28 |
2021-10-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64. |
|
42 |
CVE-2021-36158 |
312 |
|
|
2021-07-05 |
2021-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
In the xrdp package (in branches through 3.14) for Alpine Linux, RDP sessions are vulnerable to man-in-the-middle attacks because pre-generated RSA certificates and private keys are used. |
|
43 |
CVE-2021-36096 |
312 |
|
|
2021-09-06 |
2021-09-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. |
|
44 |
CVE-2021-35035 |
312 |
|
+Info |
2021-12-29 |
2022-01-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file. |
|
45 |
CVE-2021-34544 |
312 |
|
|
2021-12-07 |
2021-12-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An issue was discovered in Solar-Log 500 before 2.8.2 Build 52 23.04.2013. In /export.html, email.html, and sms.html, cleartext passwords are stored. This may allow sensitive information to be read by someone with access to the device. |
|
46 |
CVE-2021-33716 |
312 |
|
|
2021-09-14 |
2022-06-14 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability has been identified in SIMATIC CP 1543-1 (incl. SIPLUS variants) (All versions < V3.0), SIMATIC CP 1545-1 (All versions < V1.1). An attacker with access to the subnet of the affected device could retrieve sensitive information stored in cleartext. |
|
47 |
CVE-2021-33325 |
312 |
|
|
2021-08-03 |
2021-08-11 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password. |
|
48 |
CVE-2021-33323 |
312 |
|
|
2021-08-03 |
2021-08-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user. |
|
49 |
CVE-2021-31989 |
312 |
|
|
2021-08-25 |
2021-09-01 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. The memory dump may potentially contain credentials of connected Axis devices. |
|
50 |
CVE-2021-31821 |
312 |
|
|
2022-01-19 |
2022-01-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image |
