Total
828 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33022 | 1 Philips | 4 Myvue, Speech, Vue Motion and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
|
|||||
| CVE-2021-32982 | 1 Automationdirect | 40 C0-10are-d, C0-10are-d Firmware, C0-10dd1e-d and 37 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 passwords are sent as plaintext during unlocking and project transfers. An attacker who has network visibility can observe the password exchange.
|
|||||
| CVE-2021-32966 | 1 Philips | 1 Interoperability Solution Xds | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials.
|
|||||
| CVE-2021-32934 | 1 Throughtek | 1 Kalay P2p Software Development Kit | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
|
The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.
|
|||||
| CVE-2021-32612 | 1 I-doo | 1 Veryfitpro | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
|
The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing.
|
|||||
| CVE-2021-32456 | 1 Sitel-sa | 2 Remote Cap\/prx, Remote Cap\/prx Firmware | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
SITEL CAP/PRX firmware version 5.2.01 allows an attacker with access to the local network of the device to obtain the authentication passwords by analysing the network traffic.
|
|||||
| CVE-2021-31898 | 1 Jetbrains | 1 Webstorm | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
|
|||||
| CVE-2021-31815 | 1 Google | 1 Google\/apple Exposure Notifications | 2024-11-21 | 2.1 LOW | 3.3 LOW |
|
GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news ...
Show More |
|||||
| CVE-2021-31671 | 1 Pgsync Project | 1 Pgsync | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.
|
|||||
| CVE-2021-29769 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 202769.
|
|||||
| CVE-2021-29753 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
|
|||||
| CVE-2021-29397 | 1 Globalnorthstar | 1 Northstar Club Management | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Cleartext Transmission of Sensitive Information in /northstar/Admin/login.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote local user to intercept users credentials transmitted in cleartext over HTTP.
|
|||||
| CVE-2021-28509 | 1 Arista | 45 7050cx3-32s, 7050cx3m-32s, 7050sx3-48c8 and 42 more | 2024-11-21 | 3.6 LOW | 6.1 MEDIUM |
|
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak MACsec sensitive data in clear text in CVP to other authorized users, which could cause MACsec traffic to be decrypted or modified by other authorized users on the device.
|
|||||
| CVE-2021-28508 | 1 Arista | 45 7050cx3-32s, 7050cx3m-32s, 7050sx3-48c8 and 42 more | 2024-11-21 | 3.6 LOW | 6.8 MEDIUM |
|
This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols. The impact of this vulnerability is that, in certain conditions, TerminAttr might leak IPsec sensitive data in clear text in CVP to other authorized users, which could cause IPsec traffic to be decrypted or modified by other authorized users on the device.
|
|||||
| CVE-2021-27924 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An issue was discovered in Couchbase Server 6.x through 6.6.1. The Couchbase Server UI is insecurely logging session cookies in the logs. This allows for the impersonation of a user if the log files are obtained by an attacker before a session cookie expires.
|
|||||
| CVE-2021-27574 | 1 Remotemouse | 1 Emote Remote Mouse | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings.
|
|||||
| CVE-2021-27569 | 1 Remotemouse | 1 Emote Remote Mouse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
|
|||||
| CVE-2021-27422 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication.
|
|||||
| CVE-2021-27251 | 1 Netgear | 84 Br200, Br200 Firmware, Br500 and 81 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800. Authentication is not required to exploit this vulnerability The specific flaw exists within handling of firmware updates. The issue results from a fallback to a insecure protocol to deliver updates. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-12308.
|
|||||
| CVE-2021-27209 | 1 Tp-link | 2 Archer C5v, Archer C5v Firmware | 2024-11-21 | 3.6 LOW | 7.1 HIGH |
|
In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP.
|
|||||
| CVE-2021-27194 | 2 Microsoft, Netop | 2 Windows, Vision Pro | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
|
Cleartext transmission of sensitive information in Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to gather credentials including Windows login usernames and passwords.
|
|||||
| CVE-2021-25643 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens, /listRebalanceTokens, or /listMetadataTokens call.
|
|||||
| CVE-2021-23896 | 1 Mcafee | 1 Database Security | 2024-11-21 | 2.7 LOW | 3.2 LOW |
|
Cleartext Transmission of Sensitive Information vulnerability in the administrator interface of McAfee Database Security (DBSec) prior to 4.8.2 allows an administrator to view the unencrypted password of the McAfee Insights Server used to pass data to the Insights Server. This user is restricted to only have access to DBSec data in the Insights Server.
|
|||||
| CVE-2021-23884 | 1 Mcafee | 1 Content Security Reporter | 2024-11-21 | 2.7 LOW | 4.3 MEDIUM |
|
Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR.
|
|||||
| CVE-2021-23846 | 1 Bosch | 2 B426, B426 Firmware | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
When using http protocol, the user password is transmitted as a clear text parameter for which it is possible to be obtained by an attacker through a MITM attack. This will be fixed starting from Firmware version 3.11.5, which will be released on the 30th of June, 2021.
|
|||||
| CVE-2021-23018 | 1 F5 | 1 Nginx Controller | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
|
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster.
|
|||||
| CVE-2021-22946 | 8 Apple, Debian, Fedoraproject and 5 more | 37 Macos, Debian Linux, Fedora and 34 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possi ...
Show More |
|||||
| CVE-2021-22923 | 6 Fedoraproject, Haxx, Netapp and 3 more | 23 Fedora, Curl, Cloud Backup and 20 more | 2024-11-21 | 2.6 LOW | 5.3 MEDIUM |
|
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
|
|||||
| CVE-2021-22703 | 1 Schneider-electric | 20 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion7650 and 17 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts HTTP network traffic between a user and the device.
|
|||||
| CVE-2021-22702 | 1 Schneider-electric | 24 Powerlogic Ion7300, Powerlogic Ion7300 Firmware, Powerlogic Ion7400 and 21 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts Telnet network traffic between a user and the device.
|
|||||
| CVE-2021-22380 | 1 Huawei | 1 Emui | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
There is a Cleartext Transmission of Sensitive Information Vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may affect service confidentiality and availability.
|
|||||
| CVE-2021-22325 | 1 Huawei | 2 Emui, Magic Ui | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may result in video streams being intercepted during transmission.
|
|||||
| CVE-2021-21387 | 1 Wrongthink | 1 Wrongthink | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
|
Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in ...
Show More |
|||||
| CVE-2021-21270 | 1 Octopus | 1 Octopusdsc | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002.
|
|||||
| CVE-2021-20992 | 1 Fibaro | 4 Home Center 2, Home Center 2 Firmware, Home Center Lite and 1 more | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
|
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.
|
|||||
| CVE-2021-20623 | 1 Panasonic | 1 Video Insight Vms | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request.
|
|||||
| CVE-2021-20599 | 1 Mitsubishielectric | 16 R08psfcpu, R08psfcpu Firmware, R08sfcpu and 13 more | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
|
Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.
|
|||||
| CVE-2021-20564 | 1 Ibm | 1 Cloud Pak For Security | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 199235.
|
|||||
| CVE-2021-20409 | 2 Ibm, Linux | 2 Security Verify Information Queue, Linux Kernel | 2024-11-21 | 5.0 MEDIUM | 5.9 MEDIUM |
|
IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 196188.
|
|||||
| CVE-2021-20335 | 1 Mongodb | 1 Ops Manager | 2024-11-21 | 4.1 MEDIUM | 6.7 MEDIUM |
|
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In ad ...
Show More |
|||||