![]() When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password. Reference: CVE-2022-26306 - LibreOfficeĪn issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. ![]() ![]() ![]() This issue affects: Apache OpenOffice versions prior to 4.1.13. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. The stored passwords are encrypted with a single master key provided by the user. Reference: CVE-2022-26307 - LibreOfficeĪpache OpenOffice supports the storage of passwords for web connections in the user's configuration database. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects Apache ShenYu 2.4.2 and 2.4.3.Īpache OpenOffice supports the storage of passwords for web connections in the user's configuration database. In TOTOLINK A860R V4.1.2cu.5182_B20201027 there is a hard coded password for root in /etc/shadow.sample.Īpache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default. An unauthenticated remote attacker can access, modify system data or disrupt service.īilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. Le-yan Personnel and Salary Management System has hard-coded database account and password within the website source code. This issue affects: Linksys MR8300 Router 1.0. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.Ĭommand injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. This passcode is only four digits, far below typical length/complexity for a user account's password. UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be used for a privileged shell via Sudo. SysAid Help Desk before 22.1.65 allows XSS in the Password Services module, aka FR# 67241.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |