Threats Tagged 'cwe-522'

AIOHTTP versions prior to 3.14.1 contain a vulnerability in DigestAuthMiddleware where an authentication response can be sent after following a cross-origin redirect. This may expose sensitive information such as user credentials if an attacker exploits an open redirect on the target domain. The vulnerability is fixed in version 3.14.1.

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

CVE-2026-41715 is a medium severity vulnerability in Spring Reactor Netty HTTP client where credentials may be leaked during HTTP redirects from secure to insecure endpoints if the client is configured to follow redirects. This affects multiple versions of Reactor Netty from 1.0.0 through 1.3.5. The vulnerability involves insufficient protection of credentials in specific redirect scenarios.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.

Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring. This issue affects SecHard: before 3.3.0.20220411.

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.

StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).

CVE-2026-49379 is a medium severity vulnerability in JetBrains TeamCity versions before 2026.1 where credentials could be exposed in thread names. This exposure could allow an attacker with network access and low privileges to obtain sensitive credential information. The vulnerability does not impact integrity or availability but has high confidentiality impact. No official patch or remediation guidance has been provided yet by the vendor.

CVE-2026-42951 is a medium severity vulnerability in the Danelec MacGregor Voyage Data Recorder (VDR) G4e. An authenticated user with low privileges can download a backup of the device, which contains account data and password hashes. This exposure could lead to unauthorized access if the password hashes are cracked. There is no official patch or remediation level provided at this time. The vulnerability requires authentication and high attack complexity, limiting immediate exploitation. No known exploits are reported in the wild.

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.