Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-37879

Summary
Assigner-NCSC.ch
Assigner Org ID-455daabc-a392-441d-aa46-37d35189897c
Published At-12 Sep, 2023 | 08:15
Updated At-24 Sep, 2024 | 20:47
Rejected At-
Credits

Exposed Session Variable in Wing FTP Server <= 7.2.0

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:NCSC.ch
Assigner Org ID:455daabc-a392-441d-aa46-37d35189897c
Published At:12 Sep, 2023 | 08:15
Updated At:24 Sep, 2024 | 20:47
Rejected At:
▼CVE Numbering Authority (CNA)
Exposed Session Variable in Wing FTP Server <= 7.2.0

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.

Affected Products
Vendor
Wing FTP Server
Product
Wing FTP Server
Default Status
affected
Versions
Affected
  • <= 7.2.0
Problem Types
TypeCWE IDDescription
CWECWE-922CWE-922 Insecure Storage of Sensitive Information
Type: CWE
CWE ID: CWE-922
Description: CWE-922 Insecure Storage of Sensitive Information
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-410CAPEC-410 Information Elicitation
CAPEC ID: CAPEC-410
Description: CAPEC-410 Information Elicitation
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Thomas Felder
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wftpserver.com/serverhistory.htm
N/A
Hyperlink: https://www.wftpserver.com/serverhistory.htm
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wftpserver.com/serverhistory.htm
x_transferred
Hyperlink: https://www.wftpserver.com/serverhistory.htm
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vulnerability@ncsc.ch
Published At:12 Sep, 2023 | 09:15
Updated At:15 Sep, 2023 | 00:06

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CPE Matches
wftpserver
wftpserver
>>wing_ftp_server>>Versions up to 7.2.0(inclusive)
cpe:2.3:a:wftpserver:wing_ftp_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-922Primarynvd@nist.gov
CWE-922Secondaryvulnerability@ncsc.ch
CWE ID: CWE-922
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-922
Type: Secondary
Source: vulnerability@ncsc.ch
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.wftpserver.com/serverhistory.htmvulnerability@ncsc.ch
Release Notes
Vendor Advisory
Hyperlink: https://www.wftpserver.com/serverhistory.htm
Source: vulnerability@ncsc.ch
Resource:
Release Notes
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

67Records found
CVE-2024-48783
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.36%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 00:00
Updated-04 Dec, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Ruijie NBR3000D-E Gateway allows a remote attacker to obtain sensitive information via the /tool/shell/postgresql.conf component.

Action-Not Available
Vendor-n/aRuijie Networks Co., Ltd.
Product-nbr3000d-e_firmwarenbr3000d-en/a
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-48353
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.60%
||
7 Day CHG+0.03%
Published-01 Nov, 2024 | 00:00
Updated-07 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Yealink Meeting Server before V26.0.0.67 allows attackers to obtain static key information from a front-end JS file and decrypt the plaintext passwords based on the obtained key information.

Action-Not Available
Vendor-n/aYealink Network Technology Co., Ltd
Product-yealink_meeting_servern/ameeting_server
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2023-3064
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
ShareView Details
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.08%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 08:24
Updated-08 Jan, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobatime mobile application - Sensitive information disclosure

Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.

Action-Not Available
Vendor-mobatimeMobatime
Product-amxgt_100Mobatime mobile application AMXGT100
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-47197
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.44%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 08:01
Updated-17 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials

Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the issue. Archetype integration testing creates a file called ./target/classes/archetype-it/archetype-settings.xml This file contains all the content from the users ~/.m2/settings.xml file, which often contains information they do not want to publish. We expect that on many developer machines, this also contains credentials. When the user runs mvn verify again (without a mvn clean), this file becomes part of the final artifact. If a developer were to publish this into Maven Central or any other remote repository (whether as a release or a snapshot) their credentials would be published without them knowing.

Action-Not Available
Vendor-The Apache Software Foundation
Product-maven_archetypeMaven Archetype Plugin
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2022-40959
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.30%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefox_esrthunderbirdfirefoxThunderbirdFirefox ESRFirefox
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2022-28168
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-7.5||HIGH
EPSS-0.30% / 52.71%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 17:52
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-sannavBrocade SANnav
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-44175
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.31% / 53.87%
||
7 Day CHG+0.05%
Published-28 Oct, 2024 | 21:08
Updated-30 Oct, 2024 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1. An app may be able to access sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOSmacos
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2024-47043
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.7||HIGH
EPSS-0.12% / 31.13%
||
7 Day CHG+0.02%
Published-06 Dec, 2024 | 18:12
Updated-10 Dec, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie Reyee OS Insecure Storage of Sensitive Information

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-reyee_osReyee OSreyee_os
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-56948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.94%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-28 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in KuGou Technology CO. LTD KuGou Music iOS v20.0.0 allows attackers to access sensitive user information via supplying a crafted link.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-56957
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.94%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-28 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Kingsoft Office Software Corporation Limited WPS Office iOS 12.20.0 allows attackers to access sensitive user information via supplying a crafted link.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-56955
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.94%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-28 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Tencent Technology (Shenzhen) Company Limited QQMail iOS 6.6.4 allows attackers to access sensitive user information via supplying a crafted link.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-56952
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.94%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-28 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Beijing Baidu Netcom Science & Technology Co Ltd Baidu Lite app (iOS version) 6.40.0 allows attackers to access user information via supplying a crafted link.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-56959
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.94%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-28 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Mashang Consumer Finance Co., Ltd Anyihua iOS 3.6.2 allows attackers to access sensitive user information via supplying a crafted link.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-54728
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 18.57%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 00:00
Updated-03 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unauthorized attackers to access system logcat logs.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2024-48939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.20% / 42.67%
||
7 Day CHG+0.02%
Published-11 Nov, 2024 | 00:00
Updated-19 Nov, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. Attackers may be able to retrieve access-log data.

Action-Not Available
Vendor-n/apaxton-access
Product-n/anet2
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2021-28813
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.38% / 58.30%
||
7 Day CHG~0.00%
Published-10 Sep, 2021 | 04:00
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch

A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qgd-3014ptqunetswitchqgd-1602pqsw-m2116p-2t2sqgd-1600pqsw-m2116p-2t2s_firmwareQSW-M2116P-2T2SQuNetSwitch
CWE ID-CWE-798
Use of Hard-coded Credentials
CWE ID-CWE-522
Insufficiently Protected Credentials
CWE ID-CWE-259
Use of Hard-coded Password
CWE ID-CWE-922
Insecure Storage of Sensitive Information
CVE-2020-7000
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.08% / 25.43%
||
7 Day CHG~0.00%
Published-03 Apr, 2020 | 17:50
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface.

Action-Not Available
Vendor-visamVISAM
Product-vbase_web-remotevbase_editorVBASE Web-Remote ModuleVBASE Editor
CWE ID-CWE-922
Insecure Storage of Sensitive Information
  • Previous
  • 1
  • 2
  • Next
Details not found