Vulnerabilities (CVE)

Filtered by CWE-312
Total 646 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-28810 1 Nokia 2 Hit 7300, Hit 7300 Firmware 2025-05-30 N/A 6.6 MEDIUM
An issue was discovered in Infinera hiT 7300 5.60.50. Sensitive information inside diagnostic files (exported by the @CT application) allows an attacker to achieve loss of confidentiality by analyzing these files.
CVE-2024-28807 1 Nokia 2 Hit 7300, Hit 7300 Firmware 2025-05-30 N/A 6.5 MEDIUM
An issue was discovered in Infinera hiT 7300 5.60.50. Cleartext storage of sensitive information in the memory of the @CT desktop management application allows guest OS administrators to obtain various users' passwords by accessing memory dumps of the desktop application.
CVE-2024-36790 1 Netgear 2 Wnr614, Wnr614 Firmware 2025-05-29 N/A 8.8 HIGH
Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.
CVE-2024-47056 2025-05-29 N/A 5.1 MEDIUM
SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations. Sensitive Information Disclosure via .env File Exposure: The .env file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL. MitigationUpdate Mautic to the latest Mautic version. By default, Mautic does not use .env files for production data. For Apache users: Ensure your web server is configured to respect .htaccess files. For Nginx users: As Nginx does not inherently support .htaccess files, you must manually add a configuration block to your Nginx server configuration to deny access to .env files. Add the following to your Nginx configuration for the Mautic site: location ~ /\.env { deny all; } After modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect.
CVE-2025-2120 1 Thinkwarestore 2 F800 Pro, F800 Pro Firmware 2025-05-28 1.7 LOW 2.1 LOW
A vulnerability was found in Thinkware Car Dashcam F800 Pro up to 20250226. It has been rated as problematic. This issue affects some unknown processing of the file /tmp/hostapd.conf of the component Configuration File Handler. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-3395 1 Abb 1 Automation Builder 2025-05-28 N/A 7.1 HIGH
Incorrect Permission Assignment for Critical Resource, Cleartext Storage of Sensitive Information vulnerability in ABB Automation Builder.This issue affects Automation Builder: through 2.8.0.
CVE-2025-4053 2025-05-28 N/A N/A
The data stored in Be-Tech Mifare Classic card is stored in cleartext. An attacker having access to a Be-Tech hotel guest Mifare Classic card can create a master key card that unlocks all the locks in the building. This issue affects all Be-Tech Mifare Classic card systems. To fix the vulnerability, it is necessary to replace the software, encoder, cards, and PCBs in the locks.
CVE-2022-41248 1 Jenkins 1 Bigpanda Notifier 2025-05-27 N/A 5.3 MEDIUM
Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.
CVE-2021-38150 1 Sap 1 Business Client 2025-05-27 4.3 MEDIUM 6.5 MEDIUM
When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.
CVE-2015-8314 1 Heartcombo 1 Devise 2025-05-27 N/A 7.5 HIGH
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
CVE-2025-46634 1 Tenda 2 Rx2 Pro, Rx2 Pro Firmware 2025-05-27 N/A 8.2 HIGH
Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.
CVE-2025-46633 1 Tenda 2 Rx2 Pro, Rx2 Pro Firmware 2025-05-27 N/A 8.2 HIGH
Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.
CVE-2023-50777 1 Jenkins 1 Paaslane Estimate 2025-05-22 N/A 4.3 MEDIUM
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2018-18984 1 Medtronic 6 29901 Encore Programmer, 29901 Encore Programmer Firmware, Carelink 2090 Programmer and 3 more 2025-05-22 2.1 LOW 4.6 MEDIUM
Medtronic CareLink and Encore Programmers do not encrypt or do not sufficiently encrypt sensitive PII and PHI information while at rest .
CVE-2025-4737 2025-05-16 N/A 6.2 MEDIUM
Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage.
CVE-2021-33325 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 4.0 MEDIUM 4.9 MEDIUM
The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
CVE-2021-33323 1 Liferay 2 Digital Experience Platform, Liferay Portal 2025-05-13 5.0 MEDIUM 7.5 HIGH
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 7, autosaves form values for unauthenticated users, which allows remote attackers to view the autosaved values by viewing the form as an unauthenticated user.
CVE-2022-3540 1 Hunter2 Project 1 Hunter2 2025-05-13 N/A 6.5 MEDIUM
An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses
CVE-2025-4537 2025-05-12 2.6 LOW 3.1 LOW
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.8.9 and classified as problematic. Affected by this issue is some unknown functionality of the file ruoyi-ui/jsencrypt.js and ruoyi-ui/login.vue of the component Password Handler. The manipulation leads to cleartext storage of sensitive information in a cookie. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2022-2805 1 Redhat 1 Virtualization 2025-05-09 N/A 6.5 MEDIUM
A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.