An Cleartext Storage of Sensitive Information issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow a remote attacker to access an encryption key that is stored in cleartext in memory.
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
metakv in Couchbase Server 7.0.0 uses Cleartext for Storage of Sensitive Information. Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.
In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
The "Photo,Video Locker-Calculator" application 12.0 for Android has android:allowBackup="true" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup '-f smart.calculator.gallerylock'" command.
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210428201255.
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird < 78.8.1.
Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. For this to be a vulnerability, some kind of sensitive data would need to be stored in the session and the session cookie would have to leak. For example, the cookies are not configured with httpOnly and an adjacent XSS vulnerability within the site allowed capture of the cookies. As of version 1.9.0, a securely randomly generated signing key is used. As a workaround, one may supply an encryption key, as per the documentation recommendation.
A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.
An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions.
" Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information."
An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to find passwords and authentication cookies stored in cleartext in the web.log HTTP logs.
In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. Passwords are stored in unencrypted source-code text files. This was noted when accessing the svc-login.php file. The value is used to authenticate a high-privileged user upon authenticating with the server.
IBM Robotic Process Automation 21.0.1 and 21.0.2 could disclose sensitive version to an unauthorized control sphere information that could aid in further attacks against the system. IBM X-Force ID: 234292.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
Incorrect Access Control in Autumn v1.0.4 and earlier allows remote attackers to obtain clear-text login credentials via the component "autumn-cms/user/getAllUser/?page=1&limit=10".
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.
UltraLog Express device management software stores user’s information in cleartext. Any user can obtain accounts information through a specific page.