Total
828 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19316 | 1 Hashicorp | 1 Terraform | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP.
|
|||||
| CVE-2019-19251 | 1 Last.fm | 1 Last.fm Desktop | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.
|
|||||
| CVE-2019-19127 | 1 Tribalgroup | 1 Sits\ | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. This occurs because the Uniface TLS Driver is not enabled by default. This vulnerability allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a us ...
Show More |
|||||
| CVE-2019-19107 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
|
The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway for user profiles and services transfer the password in plaintext (although hidden when displayed).
|
|||||
| CVE-2019-18852 | 1 Dlink | 14 Dir-600 B1, Dir-600 B1 Firmware, Dir-615 J1 and 11 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00.
|
|||||
| CVE-2019-18800 | 1 Rakuten | 1 Viber | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
|
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone numb ...
Show More |
|||||
| CVE-2019-18285 | 1 Siemens | 1 Sppa-t3000 Application Server | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The RMI communication between the client and the Application Server is unencrypted. An attacker with access to the communication channel can read credentials of a valid user. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known ...
Show More |
|||||
| CVE-2019-18248 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
|
BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure.
|
|||||
| CVE-2019-18231 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request.
|
|||||
| CVE-2019-18201 | 1 Fujitsu | 2 Lx390, Lx390 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, an attacker is able to eavesdrop on sensitive data such as passwords.
|
|||||
| CVE-2019-18199 | 1 Fujitsu | 2 Lx390, Lx390 Firmware | 2024-11-21 | 6.9 MEDIUM | 6.6 MEDIUM |
|
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, and because of password-based authentication, they are vulnerable to replay attacks.
|
|||||
| CVE-2019-17393 | 1 Tomedo | 1 Server | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password.
|
|||||
| CVE-2019-17356 | 1 Infinitestudio | 1 Infinite Design | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network.
|
|||||
| CVE-2019-17218 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
|
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service.
|
|||||
| CVE-2019-16924 | 1 Nuvending | 1 Nulock | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
|
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock.
|
|||||
| CVE-2019-16732 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
|
Unencrypted HTTP communications for firmware upgrades in Petalk AI and PF-103 allow man-in-the-middle attackers to run arbitrary code as the root user.
|
|||||
| CVE-2019-16672 | 1 Weidmueller | 80 Ie-sw-pl08m-6tx-2sc, Ie-sw-pl08m-6tx-2sc Firmware, Ie-sw-pl08m-6tx-2scs and 77 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext.
|
|||||
| CVE-2019-16568 | 1 Jenkins | 1 Sctmexecutor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations.
|
|||||
| CVE-2019-16545 | 1 Qmetry | 1 Jenkins Qmetry For Jira | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
|
|||||
| CVE-2019-16274 | 1 Dten | 4 D5, D5 Firmware, D7 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP.
|
|||||
| CVE-2019-16067 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over cleartext protocols can allow an attacker to steal username and password combinations by intercepting authentication traffic in transit.
|
|||||
| CVE-2019-16063 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. It is possible for an attacker to expose unencrypted sensitive data.
|
|||||
| CVE-2019-15911 | 1 Asus | 14 As-101, As-101 Firmware, Dl-101 and 11 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Because of insecure key transport in ZigBee communication, attackers can obtain sensitive information, cause the multiple denial of service attacks, take over smart home devices, and tamper with messages.
|
|||||
| CVE-2019-15635 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" ...
Show More |
|||||
| CVE-2019-15626 | 1 Trendmicro | 1 Deep Security | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
|
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.
|
|||||
| CVE-2019-15135 | 1 Omg | 1 Dds Security | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network.
|
|||||
| CVE-2019-14959 | 1 Jetbrains | 1 Toolbox | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
|
|||||
| CVE-2019-14954 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
|
|||||
| CVE-2019-14808 | 1 Renpho | 1 Renpho | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
|
An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).
|
|||||
| CVE-2019-14664 | 2 Enigmail, Fedoraproject | 2 Enigmail, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mecha ...
Show More |
|||||
| CVE-2019-14319 | 3 Apple, Google, Tiktok | 3 Iphone Os, Android, Tiktok | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic.
|
|||||
| CVE-2019-13498 | 1 Oneidentity | 1 Cloud Access Manager | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
|
One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.
|
|||||
| CVE-2019-13394 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
|
|||||
| CVE-2019-12967 | 1 Themooltipass | 1 Moolticute | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
|
|||||
| CVE-2019-12820 | 1 Jisiwei | 2 I3, I3 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.6 MEDIUM |
|
A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it communicates with the server, use unencrypted HTTP. As an example, while logging in through the app to a Jisiwei account, the login request is being sent in cleartext. The vulnerability exists in both the Android and iOS version of the app. An attacker could exploit this by using an MiTM attack on the local network to obta ...
Show More |
|||||
| CVE-2019-12813 | 1 Crossmatch | 2 Digital Persona U.are.u 4500, Digital Persona U.are.u 4500 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device transfers a fingerprint image to the driver. An attacker who sniffs an encrypted fingerprint image can easily decrypt that image using the key and salt.
|
|||||
| CVE-2019-12781 | 3 Canonical, Debian, Djangoproject | 3 Ubuntu Linux, Debian Linux, Django | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
|
|||||
| CVE-2019-12506 | 1 Logitech | 2 R700 Laser Presentation Remote, R700 Laser Presentation Remote Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
|
|||||
| CVE-2019-12505 | 1 Inateck | 2 Wp1001, Wp1001 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP1001 v1.3C is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
|
|||||
| CVE-2019-12504 | 1 Inateck | 2 Wp2002, Wp2002 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
|
Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
|
|||||