Lucene search
K

16 matches found

Veracode
Veracode
added 2026/05/16 5:31 a.m.12 views

Exposure Of Sensitive Information

io.github.davidalmeidac, sealed-env-core is vulnerable to Exposure of Sensitive Information. The vulnerability is due to embedding the operator’s plaintext TOTP secret in the base64-encoded JWS payload of minted unseal tokens, which allows an attacker to decode observed tokens from logs,...

9.1CVSS5.8AI score0.00326EPSS
Exploits1References1Affected Software2
OSV
OSV
added 2026/05/06 8:50 a.m.6 views

BIT-PROMETHEUS-2026-42151 Prometheus Azure AD remote write OAuth client secret exposed via config API

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...

7.5CVSS5.8AI score0.00314EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/17 8:35 a.m.2 views

CVE-2025-15622

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication fl...

6.2CVSS5.8AI score0.00155EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/17 8:35 a.m.3 views

CVE-2025-15622 Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication fl...

6.2CVSS5.8AI score0.00155EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.5 views

PT-2026-33423

Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication fl...

6.2CVSS5.8AI score0.00155EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.6 views

PT-2026-28082

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.23 n8n versions prior to 2.6.4 Description An authenticated user lacking the necessary permissions could access secrets stored in connected vaults by referencing them by name when saving credentials. This bypasses t...

7.3CVSS5.8AI score0.0026EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2025/05/22 10:36 p.m.13 views

CVE-2022-27221

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown strin...

5.9CVSS6.7AI score0.00907EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2025/01/10 12:23 a.m.4 views

SUSE CVE-2024-56362

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. Th...

5.5CVSS6.8AI score0.0015EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2024/12/23 6:15 p.m.1 views

CVE-2024-56362

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. Th...

7.1CVSS7.2AI score0.0015EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/12/08 3:38 p.m.87 views

dbt-core's secret env vars written to package-lock.json in plaintext

Impact When used to pull source code from a private repository using a Personal Access Token PAT, some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file. Patches The bug has been fixed in dbt-core v1.7.3. Mitigations Remove any git URLs with plaintext secrets...

7.4AI score
Exploits0References4Affected Software1
NVD
NVD
added 2022/06/14 10:15 a.m.22 views

CVE-2022-27221

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown strin...

5.9CVSS0.00907EPSS
Exploits0References2
Cvelist
Cvelist
added 2022/06/14 9:21 a.m.27 views

CVE-2022-27221

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown strin...

5.9CVSS5.9AI score0.00907EPSS
Exploits0References2
CVE
CVE
added 2022/06/14 9:21 a.m.85 views

CVE-2022-27221

CVE-2022-27221 – Siemens SINEMA Remote Connect Server is a BREACH-style encryption leakage vulnerability affecting all versions before 3.1. The issue arises in the way an attacker in a man-in-the-middle could observe length differences in a sequence of guesses to infer plaintext secret values fro...

5.9CVSS5.6AI score0.00907EPSS
Exploits0References2Affected Software1
Prion
Prion
added 2020/02/21 6:15 p.m.29 views

Design/Logic Flaw

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of...

4.3CVSS6.4AI score0.06049EPSS
Exploits3References12Affected Software14
Cvelist
Cvelist
added 2020/02/21 5:11 p.m.36 views

CVE-2013-3587

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of...

5AI score0.06049EPSS
Exploits2References12
Prion
Prion
added 2020/01/14 3:15 p.m.28 views

Cross site request forgery (csrf)

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value,...

5CVSS7.7AI score0.03915EPSS
Exploits0References24Affected Software13
Rows per page
Query Builder