CWE-522— Insufficiently Protected Credentials
1,427 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-522page 4 of 29
- CVE-2018-20401CRITICALCVSS 9.8EG 9.82018-12-23
Zoom 5352 v5.5.8.6Y devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
- CVE-2018-20438CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor TC7110.AR STD3.38.03 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.
- CVE-2018-20439CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-170214a devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.
- CVE-2018-20440CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.
- CVE-2018-20441CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.
- CVE-2018-20442CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor TC7110.B STC8.62.02 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.
- CVE-2018-20443CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor TC7200.d1I TC7200.d1IE-N23E-c7000r5712-170406-HAT devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.
- CVE-2018-20444CRITICALCVSS 9.8EG 9.82018-12-25
Technicolor CGA0111 CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP reques…
- CVE-2018-20445CRITICALCVSS 9.8EG 9.82018-12-25
D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 and iso.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 SNMP reque…
- CVE-2018-20781HIGHCVSS 7.8EG 7.82019-02-12
In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.
- CVE-2018-21031MEDIUMCVSS 6.5EG 6.52019-11-18
Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initially, this id was associated with Plex …
- CVE-2018-21237MEDIUMCVSS 5.3EG 5.32020-06-04
An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows NTLM credential theft via a GoToE or GoToR action.
- CVE-2018-21239MEDIUMCVSS 5.3EG 5.32020-06-04
An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It allows NTLM credential theft via a GoToE or GoToR action.
- CVE-2018-21248HIGHCVSS 7.5EG 7.52020-06-19
An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
- CVE-2018-3609HIGHCVSS 8.1EG 8.12018-02-16
A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance 9.0 and 9.1 management portal could allow an unauthenticated user to access sensitive information in a particular log file that could be used to bypass authe…
- CVE-2018-4170HIGHCVSS 7.8EG 7.82018-04-03
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Admin Framework" component. It allows local users to discover a password by listing a process and its arguments during sysadminctl…
- CVE-2018-4190HIGHCVSS 8.8EG 8.82018-06-08
An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issu…
- CVE-2018-5446MEDIUMCVSS 4.9EG 5.32018-05-04
Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.
- CVE-2018-5543HIGHCVSS 8.8EG 8.82018-07-31
The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container.
- CVE-2018-5708HIGHCVSS 8.0EG 8.02018-03-30
An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specific…
- CVE-2018-6618HIGHCVSS 7.8EG 7.82018-05-11
Easy Hosting Control Panel (EHCP) v0.37.12.b allows attackers to obtain sensitive information by leveraging cleartext password storage.
- CVE-2018-7510CRITICALCVSS 9.8EG 9.82018-06-06
In the web application in BeaconMedaes TotalAlert Scroll Medical Air Systems running software versions prior to 4107600010.23, passwords are presented in plaintext in a file that is accessible without authentication.
- CVE-2018-7518CRITICALCVSS 9.8EG 9.82018-05-24
In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems prior to v4107600010.23, an attacker with network access to the integrated web server could retrieve default or user defined credentials stored and transmitted in an …
- CVE-2018-7698HIGHCVSS 8.1EG 8.12018-03-05
An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices. The mydlink+ app sends the username and password for connected D-Link cameras (such as DCS-933L and DCS-934L) unencrypted from th…
- CVE-2018-7782HIGHCVSS 8.8EG 8.82018-07-03
In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, authenticated users can view passwords in clear text.
- CVE-2018-7820CRITICALCVSS 9.8EG 9.82019-09-17
A Credentials Management CWE-255 vulnerability exists in the APC UPS Network Management Card 2 AOS v6.5.6, which could cause Remote Monitoring Credentials to be viewed in plaintext when Remote Monitoring is enabled, and then disabled.
- CVE-2018-8851CRITICALCVSS 9.8EG 9.82018-07-24
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configur…
- CVE-2018-8858CRITICALCVSS 9.8EG 9.82018-10-30
If an attacker has access to the firmware from the VGo Robot (Versions 3.0.3.52164 and 3.0.3.53662. Prior versions may also be affected) they may be able to extract credentials.
- CVE-2018-9031CRITICALCVSS 9.8EG 9.82018-03-29
The login interface on TNLSoftSolutions Sentry Vision 3.x devices provides password disclosure by reading an "if(pwd ==" line in the HTML source code. This means, in effect, that authentication occurs only on the client side.
- CVE-2018-9160CRITICALCVSS 9.8EG 9.82018-03-31
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
- CVE-2018-9279MEDIUMCVSS 4.9EG 4.92018-10-24
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the user's password. The web page displayed by the appliance contains the password in cleartext. Passwords could be retrieved by browsing the source code of …
- CVE-2018-9280MEDIUMCVSS 4.9EG 4.92018-10-24
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the SNMP version 3 user's password. The web page displayed by the appliance contains the password in cleartext. Passwords of the read and write users could b…
- CVE-2019-0032HIGHCVSS 7.8EG 7.82019-04-10
A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to…
- CVE-2019-0035MEDIUMCVSS 6.8EG 6.82019-04-10
When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on systems booted from an OAM (Ope…
- CVE-2019-0072MEDIUMCVSS 5.6EG 5.52019-10-09
An Unprotected Storage of Credentials vulnerability in the identity and access management certificate generation procedure allows a local attacker to gain access to confidential information. This issue affects: Juniper Networks SBR Carrier…
- CVE-2019-0120MEDIUMCVSS 4.4EG 4.42019-05-17
Insufficient key protection vulnerability in silicon reference firmware for Intel(R) Pentium(R) Processor J Series, Intel(R) Pentium(R) Processor N Series, Intel(R) Celeron(R) J Series, Intel(R) Celeron(R) N Series, Intel(R) Atom(R) Proces…
- CVE-2019-0175MEDIUMCVSS 4.4EG 4.42019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0178LOWCVSS 3.6EG 3.62019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0179MEDIUMCVSS 4.4EG 4.42019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0180MEDIUMCVSS 4.4EG 4.42019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0182LOWCVSS 3.3EG 3.32019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0183LOWCVSS 3.3EG 3.32019-06-13
Insufficient password protection in the attestation database for Open CIT may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2019-0881HIGHCVSS 7.8EG 7.82019-05-16
An elevation of privilege vulnerability exists when the Windows Kernel improperly handles key enumeration, aka 'Windows Kernel Elevation of Privilege Vulnerability'.
- CVE-2019-1000001CRITICALCVSS 9.8EG 9.82019-02-04
TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via…
- CVE-2019-1003038HIGHCVSS 7.8EG 7.82019-03-08
An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugi…
- CVE-2019-1003039HIGHCVSS 8.8EG 8.82019-03-08
An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission t…
- CVE-2019-1003045MEDIUMCVSS 6.5EG 6.52019-03-28
A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configurat…
- CVE-2019-1003096MEDIUMCVSS 6.5EG 6.52019-04-04
Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-1003097MEDIUMCVSS 6.5EG 6.52019-04-04
Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1010241MEDIUMCVSS 6.5EG 6.52019-07-19
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVari…
Map vulnerabilities like CWE-522 to your infrastructure
EchelonGraph correlates every CVE — across CWE-522 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →