86 matches found
HCL AION Information Disclosure Vulnerability (CNVD-2026-16403)
HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from an information disclosure vulnerability that stems from the password field not disabling autocomplete, which can be exploited by an attacker to cause sensitive credentials to be stored or disclosed...
CVE-2025-52623
HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects...
CVE-2025-52623 HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability
HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects...
PT-2026-5901
Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to an issue where the autocomplete attribute is not disabled for password fields. This can allow the autocomplete function to store or reveal sensitive credentials, potentially leading t...
CVE-2025-43542
CVE-2025-43542 affects Apple devices via a state-management issue that can cause password fields to be revealed when a device is remotely controlled over FaceTime. Affected products/versions include iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Tahoe 26.2, an...
PT-2025-51023
Name of the Vulnerable Software and Affected Versions macOS Sequoia versions prior to 15.7.3 Description A flaw exists in FaceTime on macOS Sequoia that could lead to the unintentional revelation of password fields when remotely controlling a device. The issue was caused by inconsistent user...
Jenkins is missing a permission check on password fields
A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views...
GHSA-P3F5-98CV-562J Jenkins is missing a permission check on password fields
A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views...
CVE-2025-52493
PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from...
CVE-2025-52493
PagerDuty Runbook (through 2025-06-12) stores secret values in the configuration page DOM. Although fields appear masked, secrets are present in the page source and can be revealed by changing input type from password to text via browser dev tools. Exploitation is described as possible by adminis...
CVE-2025-52493
PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from...
EUVD-2025-199915
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...
CVE-2025-13615 StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...
PT-2025-48376
Name of the Vulnerable Software and Affected Versions StreamTube Core plugin for WordPress versions up to and including 4.78 Description The StreamTube Core plugin for WordPress is susceptible to Arbitrary User Password Change. This occurs because the plugin grants user-controlled access to...
Weak-password Policy Bypass
novosga/novosga is vulnerable to weak-password policy bypass. The vulnerability is due to improper validation of the Senha/Confirmação da Senha fields in the User Creation Page /novosga.users/new, which allows an attacker to remotely exploit the weak password policy, though with high complexity a...
CVE-2025-43360
The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed...
CVE-2025-43360
The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed...
CVE-2025-43360
CVE-2025-43360 affects Apple iOS and iPadOS Authentication Services. The issue allowed a password field to be unintentionally revealed due to a UI-related vulnerability. Root cause and affected component are described in the public CVE; Apple fixed the issue in iOS 26 and iPadOS 26 with an improv...
GHSA-495J-H493-42Q2 Strapi Allows Unauthorized Access to Private Fields via parms.lookup
Summary It's possible to access any private fields by filtering through the lookup parameters Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. PoC 1. Create a strapi app. 2. Create a...
EUVD-2020-12595
Malware in sbrugna...