Total
828 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30565 | 1 Bd | 1 Guardrails Cqi Reporter | 2024-11-21 | N/A | 3.5 LOW |
|
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
|
|||||
| CVE-2023-2754 | 1 Cloudflare | 1 Warp | 2024-11-21 | N/A | 7.4 HIGH |
|
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.
|
|||||
| CVE-2023-28616 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | N/A | 7.5 HIGH |
|
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd process logs such passwords in cleartext, and potentially sends these logs to the Syslog component.
|
|||||
| CVE-2023-27861 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 5.9 MEDIUM |
|
IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208.
|
|||||
| CVE-2023-25848 | 1 Esri | 1 Arcgis Server | 2024-11-21 | N/A | 5.3 MEDIUM |
|
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue.
The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.
|
|||||
| CVE-2023-24547 | 1 Arista | 5 7130, 7130-16g3s, 7130-48g3s and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
|
On affected platforms running Arista MOS, the configuration of a BGP password will cause the password to be logged in clear text that can be revealed in local logs or remote logging servers by authenticated users, as well as appear in clear text in the device’s running config.
|
|||||
| CVE-2023-23371 | 1 Qnap | 1 Qvpn | 2024-11-21 | N/A | 5.2 MEDIUM |
|
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors.
We have already fixed the vulnerability in the following version:
QVPN Windows 2.2.0.0823 and later
|
|||||
| CVE-2023-23130 | 1 Connectwise | 1 Automate | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.
|
|||||
| CVE-2023-22870 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | N/A | 5.9 MEDIUM |
|
IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121.
|
|||||
| CVE-2023-22863 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
|
IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109.
|
|||||
| CVE-2023-22806 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
LS ELECTRIC XBC-DN32U with operating system version 01.80 transmits sensitive information in cleartext when communicating over its XGT protocol. This could allow an attacker to gain sensitive information such as user credentials.
|
|||||
| CVE-2023-22597 | 1 Inhandnetworks | 4 Inrouter302, Inrouter302 Firmware, Inrouter615-s and 1 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection.
|
|||||
| CVE-2023-21220 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.5 HIGH |
|
there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A
|
|||||
| CVE-2023-21219 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.5 HIGH |
|
there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264698379References: N/A
|
|||||
| CVE-2023-1831 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 7.2 HIGH |
|
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
|
|||||
| CVE-2023-1802 | 1 Docker | 1 Desktop | 2024-11-21 | N/A | 5.9 MEDIUM |
|
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
|
|||||
| CVE-2023-0864 | 1 Abb | 16 Terra Ac Wallbox 80a, Terra Ac Wallbox 80a Firmware, Terra Ac Wallbox Ce Juno and 13 more | 2024-11-21 | N/A | 7.1 HIGH |
|
Cleartext Transmission of Sensitive Information vulnerability in ABB Terra AC wallbox (UL40/80A), ABB Terra AC wallbox (UL32A), ABB Terra AC wallbox (CE) (Terra AC MID), ABB Terra AC wallbox (CE) Terra AC Juno CE, ABB Terra AC wallbox (CE) Terra AC PTB, ABB Terra AC wallbox (CE) Symbiosis, ABB Terra AC wallbox (JP).This issue affects Terra AC wallbox (UL40/80A): from 1.0;0 through 1.5.5; Terra AC wallbox (UL32A) : from 1.0;0 through 1.6.5; Terra AC wallbox (CE) (Terra AC MID): from 1.0;0 through ...
Show More |
|||||
| CVE-2023-0055 | 1 Pyload | 1 Pyload | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
|
|||||
| CVE-2023-0053 | 1 Sauter-controls | 11 Bacnetstac, Modunet300 Ey-am300f001, Modunet300 Ey-am300f001 Firmware and 8 more | 2024-11-21 | N/A | 7.5 HIGH |
|
SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and
prior and BACnetstac version 4.2.1 and prior have only FTP and Telnet
available for device management. Any sensitive information communicated
through these protocols, such as credentials, is sent in cleartext. An
attacker could obtain sensitive information such as user credentials to
gain access to the system.
|
|||||
| CVE-2023-0001 | 2 Microsoft, Paloaltonetworks | 2 Windows, Cortex Xdr Agent | 2024-11-21 | N/A | 6.0 MEDIUM |
|
An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.
|
|||||
| CVE-2022-47895 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | N/A | 4.7 MEDIUM |
|
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
|
|||||
| CVE-2022-47892 | 1 Riello-ups | 2 Netman 204, Netman 204 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
|
All versions of NetMan 204 could allow an unauthenticated remote attacker to read a file (config.cgi) containing sensitive information, like credentials.
|
|||||
| CVE-2022-47560 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-11-21 | N/A | 5.7 MEDIUM |
|
The lack of web request control on ekorCCP and ekorRCI devices allows a potential attacker to create custom requests to execute malicious actions when a user is logged in.
|
|||||
| CVE-2022-46680 | 1 Schneider-electric | 10 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion8650 and 7 more | 2024-11-21 | N/A | 8.8 HIGH |
|
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could
cause disclosure of sensitive information, denial of service, or modification of data if an attacker
is able to intercept network traffic.
|
|||||
| CVE-2022-45877 | 1 Openharmony | 1 Openharmony | 2024-11-21 | N/A | 8.3 HIGH |
|
OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks.
|
|||||
| CVE-2022-41983 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2024-11-21 | N/A | 3.7 LOW |
|
On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied.
|
|||||
| CVE-2022-41636 | 1 Haascnc | 1 Haas Controller | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. This allows an attacker to obtain sensitive information being passed to and from the controller.
|
|||||
| CVE-2022-41627 | 1 Alivecor | 6 Kardiamobile, Kardiamobile 6l, Kardiamobile 6l Firmware and 3 more | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up ...
Show More |
|||||
| CVE-2022-41327 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-11-21 | N/A | 7.8 HIGH |
|
A cleartext transmission of sensitive information vulnerability [CWE-319] in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.8, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.8 allows an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands.
|
|||||
| CVE-2022-40693 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
|
A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
|
|||||
| CVE-2022-3929 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | N/A | 8.3 HIGH |
|
Communication between the client and the server application of the affected products is partially done using CORBA (Common Object Request Broker Architecture) over TCP/IP. This protocol is not encrypted and allows tracing of internal messages.
This issue affects
* FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;
* UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM ...
Show More |
|||||
| CVE-2022-3261 | 1 Redhat | 1 Openstack Platform | 2024-11-21 | N/A | 4.4 MEDIUM |
|
A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem.
|
|||||
| CVE-2022-39339 | 1 Nextcloud | 1 Openid Connect User Backend | 2024-11-21 | N/A | 4.3 MEDIUM |
|
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings ...
Show More |
|||||
| CVE-2022-39287 | 1 Tiny-csrf Project | 1 Tiny-csrf | 2024-11-21 | N/A | 8.1 HIGH |
|
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
|
|||||
| CVE-2022-39269 | 1 Pjsip | 1 Pjsip | 2024-11-21 | N/A | 9.1 CRITICAL |
|
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workar ...
Show More |
|||||
| CVE-2022-38846 | 1 Espocrm | 1 Espocrm | 2024-11-21 | N/A | 5.9 MEDIUM |
|
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
|
|||||
| CVE-2022-38458 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.
|
|||||
| CVE-2022-38122 | 1 Upspowercom | 1 Upsmon Pro | 2024-11-21 | N/A | 7.5 HIGH |
|
UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data.
|
|||||
| CVE-2022-36200 | 1 Fiberhome | 2 Hg150-ub, Hg150-ub Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed.
|
|||||
| CVE-2022-34804 | 1 Jenkins | 1 Opsgenie | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure.
|
|||||