Vulnerabilities (CVE)

Filtered by CWE-255
Total 730 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2007-6399 1 Myupb 1 Flat Php Board 2025-04-09 6.5 MEDIUM N/A
index.php in Flat PHP Board 1.2 and earlier allows remote authenticated users to obtain the password for the current user account by reading the password parameter value in the HTML source for the page generated by a profile action.
CVE-2007-4656 1 Backup Manager 1 Backup Manager 2025-04-09 2.1 LOW N/A
backup-manager-upload in Backup Manager before 0.6.3 provides the FTP server hostname, username, and password as plaintext command line arguments during FTP uploads, which allows local users to obtain sensitive information by listing the process and its arguments, a different vulnerability than CVE-2007-2766.
CVE-2008-7050 1 Wowraidmanager 1 Wowraidmanager 2025-04-09 7.5 HIGH N/A
The password_check function in auth/auth_phpbb3.php in WoW Raid Manager 3.5.1 before Patch 1, when using PHPBB3 authentication, (1) does not invoke the CheckPassword function with the required arguments, which always triggers an authentication failure, and (2) returns true instead of false when an authentication failure occurs, which allows remote attackers to bypass authentication and gain privileges with an arbitrary password.
CVE-2009-4354 1 Transware 1 Active\! Mail 2025-04-09 5.8 MEDIUM N/A
TransWARE Active! mail 2003 build 2003.0139.0871 and earlier does not properly secure the session ID in a session cookie, which allows remote attackers to hijack web sessions, probably related to the "secure" flag for cookies in SSL sessions.
CVE-2008-1390 1 Asterisk 5 Asterisk, Asterisk Appliance Developer Kit, Asterisk Business Edition and 2 more 2025-04-09 9.3 HIGH N/A
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
CVE-2008-5326 2 Ibm, Microsoft 2 Rational Clearquest, Windows 2025-04-09 4.4 MEDIUM N/A
The ClearQuest Maintenance Tool in IBM Rational ClearQuest 7.0.0 before 7.0.0.4 and 7.0.1 before 7.0.1.3 on Windows allows local users to obtain (1) user and (2) database passwords by using a password revealer utility on a field containing a series of asterisks.
CVE-2009-2945 1 Stanford 1 Webauth 2025-04-09 4.3 MEDIUM N/A
weblogin/login.fcgi (aka the WebLogin login script) in Stanford University WebAuth 3.5.5, 3.6.0, and 3.6.1 places passwords in URLs in certain circumstances involving conversion of a POST request to a GET request, which allows context-dependent attackers to discover passwords by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.
CVE-2007-6661 1 2z Project 1 2z Project 2025-04-09 6.4 MEDIUM N/A
2z project 0.9.6.1 allows attackers to change the password without supplying the old password.
CVE-2009-0503 1 Ibm 1 Websphere Message Broker 2025-04-09 2.1 LOW N/A
IBM WebSphere Message Broker 6.1.x before 6.1.0.2 writes a database connection password to the Event Log and System Log during exception handling for a JDBC error, which allows local users to obtain sensitive information by reading these logs.
CVE-2008-2857 1 Alstrasoft 1 Askme 2025-04-09 5.0 MEDIUM N/A
AlstraSoft AskMe Pro 2.1 and earlier stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information.
CVE-2007-5063 1 Adam Scheinberg 1 Flip 2025-04-09 5.0 MEDIUM N/A
Adam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt.
CVE-2008-5690 1 Sun 2 Opensolaris, Solaris 2025-04-09 2.1 LOW N/A
The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, and OpenSolaris build snv_01 through snv_104, allows local users to cause a denial of service (authentication failure) via unspecified vectors related to incorrect cache file permissions, and lack of credential storage by the store_cred function in pam_krb5.
CVE-2008-1970 1 Mucommander 1 Mucommander 2025-04-09 2.1 LOW N/A
muCommander before 0.8.2 stores credentials.xml with insecure permissions, which allows local users to obtain credentials.
CVE-2009-4463 1 Intellicom 3 Netbiter Webscada Firmware, Netbiter Webscada Ws100, Netbiter Webscada Ws200 2025-04-09 10.0 HIGH N/A
Intellicom NetBiter WebSCADA devices use default passwords for the HICP network configuration service, which makes it easier for remote attackers to modify network settings and cause a denial of service. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: this issue was originally reported to be hard-coded passwords, not default passwords.
CVE-2007-6260 1 Oracle 1 Database Server 2025-04-09 6.8 MEDIUM N/A
The installation process for Oracle 10g and llg uses accounts with default passwords, which allows remote attackers to obtain login access by connecting to the Listener. NOTE: at the end of the installation, if performed using the Database Configuration Assistant (DBCA), most accounts are disabled or their passwords are changed.
CVE-2008-1529 1 Zyxel 3 Prestige 660, Prestige 661, Zynos 2025-04-09 5.0 MEDIUM N/A
ZyXEL Prestige routers have a minimum password length for the admin account that is too small, which makes it easier for remote attackers to guess passwords via brute force methods.
CVE-2009-4189 1 Hp 1 Operations Manager 2025-04-09 10.0 HIGH N/A
HP Operations Manager has a default password of OvW*busr1 for the ovwebusr account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3099 and CVE-2009-3843.
CVE-2009-3548 1 Apache 1 Tomcat 2025-04-09 7.5 HIGH N/A
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
CVE-2007-6096 1 Ingate 2 Ingate Firewall, Ingate Siparator 2025-04-09 5.0 MEDIUM N/A
Ingate Firewall before 4.6.0 and SIParator before 4.6.0 use cleartext storage for passwords of "administrators with less privileges," which might allow attackers to read these passwords via unknown vectors.
CVE-2008-5104 2 Dcgrendel, Ubuntu 2 Vmbuilder, Ubuntu Linux 2025-04-09 7.2 HIGH N/A
Ubuntu 6.06 LTS, 7.10, 8.04 LTS, and 8.10, when installed as a virtual machine by (1) python-vm-builder or (2) ubuntu-vm-builder in VMBuilder 0.9 in Ubuntu 8.10, have ! (exclamation point) as the default root password, which allows attackers to bypass intended login restrictions.