| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module allow weak hashing algorithm and insecure permissions which may allow a local attacker to bypass the password-protected mechanism through brute-force attacks, cracking techniques, or overwriting the password hash. |
| An issue was discovered in Psyprax beforee 3.2.2. Passwords used to encrypt the data are stored in the database in an obfuscated format, which can be easily reverted. For example, the password AAAAAAAA is stored in the database as MMMMMMMM. |
| An issue was discovered in New Media Smarty before 9.10. Passwords are stored in the database in an obfuscated format that can be easily reversed. The file data.mdb contains these obfuscated passwords in the second column. NOTE: this is unrelated to the popular Smarty template engine product. |
| The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data. |
| JPaseto before 0.3.0 generates weak hashes when using v2.local tokens. |
| Reversible one-way hash in Intel(R) CSME versions before 11.8.76, 11.12.77 and 11.22.77 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access. |
| controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage. |
| An issue was discovered on TP-Link TL-WR1043ND V2 devices. The credentials can be easily decoded and cracked by brute-force, WordList, or Rainbow Table attacks. Specifically, credentials in the "Authorization" cookie are encoded with URL encoding and base64, leading to easy decoding. Also, the username is cleartext, and the password is hashed with the MD5 algorithm (after decoding of the URL encoded string with base64). |
| IBM Qradar Advisor 1.1 through 2.5 with Watson uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 166206. |
| IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 161418. |
| IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse engineer the application due to the lack of binary protection precautions. IBM X-Force ID: 160697. |
| IBM API Connect 5.0.0.0 through 5.0.8.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 159944. |
| IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158880. |
| IBM Security Access Manager 9.0.1 through 9.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158512. |
| IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158092. |
| A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0 < V5.0.2), SiNVR/SiVMS Video Server (All versions >= V5.0.2). The streaming service (default port 5410/tcp) of the SiVMS/SiNVR Video Server
applies weak cryptography when exposing device (camera) passwords.
This could allow an unauthenticated remote attacker to read and decrypt
the passwords and conduct further attacks. |
| A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server. |
| ABB eSOMS versions 4.0 to 6.0.3 accept connections using medium strength ciphers. If a connection is enabled using such a cipher, an attacker might be able to eavesdrop and/or intercept the connection. |
| A key length vulnerability in the implementation of the SRTP 128-bit key on Mitel 6800 and 6900 SIP series phones, versions 5.1.0.2051 SP2 and earlier, could allow an attacker to launch a man-in-the-middle attack when SRTP is used in a call. A successful exploit may allow the attacker to intercept sensitive information. |
| An issue was found in Philips Veradius Unity, Pulsera, and Endura Dual WAN Router, Veradius Unity (718132) with wireless option (shipped between 2016-August 2018), Veradius Unity (718132) with ViewForum option (shipped between 2016-August 2018), Pulsera (718095) and Endura (718075) with wireless option (shipped between 26-June-2017 through 07-August 2018), Pulsera (718095) and Endura (718075) with ViewForum option (shipped between 26-June-2017 through 07-August 2018). The router software uses an encryption scheme that is not strong enough for the level of protection required. |
