Total
1256 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3480 | 1 Meddream | 1 Pacs Server | 2025-08-15 | 6.5 Medium |
| MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of MedDream WEB DICOM Viewer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Web Portal. The issue results from the lack of encryption when transmitting credentials. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-25842. | ||||
| CVE-2025-30183 | 1 Cyberdata | 2 011209 Sip Emergency Intercom, 011209 Sip Emergency Intercom Firmware | 2025-08-12 | 7.5 High |
| CyberData 011209 Intercom does not properly store or protect web server admin credentials. | ||||
| CVE-2025-54394 | 1 Netwrix | 1 Directory Manager | 2025-08-12 | 5.3 Medium |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. | ||||
| CVE-2025-28228 | 1 Electrolink | 1 Fm\/dab\/tv Transmitter Web Management System | 2025-08-07 | 7.5 High |
| A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext. | ||||
| CVE-2025-54876 | 1 Jansson Project | 1 Jansson | 2025-08-06 | N/A |
| The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease. | ||||
| CVE-2025-53008 | 1 Glpi-project | 1 Glpi | 2025-08-04 | 6.5 Medium |
| GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. | ||||
| CVE-2025-54422 | 2 Sandboxie, Sandboxie-plus | 2 Sandboxie, Sandboxie | 2025-08-04 | 5.5 Medium |
| Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2. | ||||
| CVE-2021-1232 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-08-04 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying filesystem of an affected system. This vulnerability is due to insufficient access control for sensitive information that is written to an affected system. An attacker could exploit this vulnerability by accessing sensitive information that they are not authorized to access on an affected system. A successful exploit could allow the attacker to gain access to devices and other network management systems that they should not have access to.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | ||||
| CVE-2025-5922 | 1 Tsplus | 1 Tsplus Remote Access | 2025-07-31 | N/A |
| Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | ||||
| CVE-2025-54428 | 1 Musombi123 | 1 Revelacode | 2025-07-29 | 9.8 Critical |
| RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity. | ||||
| CVE-2025-53669 | 1 Jenkins | 1 Vaddy | 2025-07-18 | 4.3 Medium |
| Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53667 | 1 Jenkins | 1 Dead Man\'s Snitch | 2025-07-18 | 5.3 Medium |
| Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53650 | 1 Jenkins | 1 Credentials Binding | 2025-07-18 | 7.3 High |
| Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. | ||||
| CVE-2025-53654 | 1 Jenkins | 1 Statistics Gatherer | 2025-07-18 | 6.5 Medium |
| Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | ||||
| CVE-2025-53660 | 1 Jenkins | 1 Qmetry Test Management | 2025-07-18 | 4.3 Medium |
| Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53657 | 1 Jenkins | 1 Readyapi Functional Testing | 2025-07-18 | 4.3 Medium |
| Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53661 | 1 Jenkins | 1 Testsigma Test Plan Run | 2025-07-18 | 4.3 Medium |
| Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-7565 | 1 Lb-link | 2 Bl-ac3600, Bl-ac3600 Firmware | 2025-07-17 | 5.3 Medium |
| A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-45157 | 1 Rancher | 1 Rancher | 2025-07-12 | 9.1 Critical |
| A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. | ||||
| CVE-2024-33497 | 1 Siemens | 1 Simatic Rtls Locating Manager | 2025-07-12 | 6.3 Medium |
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Track Viewer Client do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role. | ||||