CVE-2023-27132

The CVE-2023-27132 entry targets TSplus Remote Work: version 16.0.0.0 stores a cleartext password on the var pass line of the HTML source code for the secure single sign-on web portal. Connected sources corroborate that credentials are stored in plaintext within the HTML of the login page (e.g., ...

CVE-2023-31069

An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page...

CVE-2023-31069

TSplus Remote Access (up to version 16.0.2.14) contains a credential exposure in which passwords are stored as cleartext in the HTML source of the login page. This is documented across multiple sources (NVD/Red Hat/PRION entries) and confirms the root cause is cleartext credential storage on the ...

CVE-2023-31069

An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page...

Code injection

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the...

CVE-2022-45895

Planet eStream before 6.72.10.07 discloses sensitive information, related to the ON cookie findable in HTML source code for Default.aspx in some situations and the WhoAmI endpoint e.g., path disclosure...

CVE-2022-45895

Planet eStream exposes sensitive information in versions prior to 6.72.10.07 due to issues involving the ON cookie (findable in Default.aspx HTML source) and the WhoAmI endpoint (path disclosure). The CVE-2022-45895 entry consolidates this information as a user-notification-style vulnerability wi...

Design/Logic Flaw

In Ivanti Pulse Secure Pulse Connect Secure PCS before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance Push Configuration Targets Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role...

CVE-2021-44720

In Ivanti Pulse Secure Pulse Connect Secure PCS before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance Push Configuration Targets Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role...

CVE-2021-44720

Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12 stores administrator passwords in the HTML source of the Maintenance > Push Configuration > Targets > Target Name screen (targets.cgi). This enables a read-only administrative user to escalate to a read-write administrative rol...

Dolibarr CRM allows Privilege Escalation

Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code...

Jenkin allows attackers to obtain passwords by reading the HTML source code

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value...

CVE-2022-26148

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in...

CVE-2022-26148

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in...

CVE-2022-26148

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in...

Information disclosure

An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searchin...

Missouri Vows to Prosecute ‘Hacker’ Who Informed State About Data Leak

The St. Louis Post-Dispatch newspaper recently found a huge security blunder: The Missouri educational agency’s site was displaying 100,000+ clearly visible Social-Security numbers for school teachers, administrators and counselors in its HTML source code. The newspaper verified its findings with...

CVE-2021-3017

The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the defwirelesspassword line in the HTML source code...

Code injection

The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the defwirelesspassword line in the HTML source code...

CVE-2021-3017

The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials by reading the defwirelesspassword line in the HTML source code...