Total
159 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53669 | 1 Jenkins | 1 Vaddy | 2025-07-18 | 4.3 Medium |
| Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53665 | 1 Jenkins | 1 Apica Loadtest | 2025-07-18 | 4.3 Medium |
| Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53664 | 1 Jenkins | 1 Apica Loadtest | 2025-07-18 | 6.5 Medium |
| Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53655 | 1 Jenkins | 1 Statistics Gatherer | 2025-07-18 | 5.3 Medium |
| Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. | ||||
| CVE-2025-53660 | 1 Jenkins | 1 Qmetry Test Management | 2025-07-18 | 4.3 Medium |
| Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53656 | 1 Jenkins | 1 Readyapi Functional Testing | 2025-07-18 | 6.5 Medium |
| Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-53662 | 1 Jenkins | 1 Ifttt Build Notifier | 2025-07-18 | 6.5 Medium |
| Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-7357 | 2025-07-18 | N/A | ||
| LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs. | ||||
| CVE-2025-53671 | 2025-07-10 | 6.5 Medium | ||
| Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||||
| CVE-2025-53677 | 2025-07-10 | 5.3 Medium | ||
| Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. | ||||
| CVE-2025-53674 | 2025-07-10 | 5.3 Medium | ||
| Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it. | ||||
| CVE-2025-53675 | 2025-07-10 | 6.5 Medium | ||
| Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2025-1709 | 2025-07-03 | 6.5 Medium | ||
| Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded). | ||||
| CVE-2024-23486 | 2 Buffalo, Buffalo Inc | 11 A2533dhp2, Wsr-2533dhp, Wsr-2533dhp2 and 8 more | 2025-06-30 | 9.8 Critical |
| Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials. | ||||
| CVE-2025-6560 | 2025-06-26 | 9.8 Critical | ||
| Multiple wireless router models from Sapido have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. The affected models are out of support; replacing the device is recommended. | ||||
| CVE-2025-6561 | 2025-06-26 | 9.8 Critical | ||
| Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. | ||||
| CVE-2025-25985 | 1 Macro-video | 2 V380e6 C1, V380e6 C1 Firmware | 2025-06-25 | 2.6 Low |
| An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via the /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini components. | ||||
| CVE-2024-22312 | 1 Ibm | 1 Storage Defender Resiliency Service | 2025-06-10 | 4.4 Medium |
| IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748. | ||||
| CVE-2025-5893 | 2025-06-09 | 9.8 Critical | ||
| Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials. | ||||
| CVE-2025-5760 | 2025-06-06 | 4.9 Medium | ||
| The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password. | ||||