Total
275 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-31825 | 1 Inageya | 1 Inageya | 2023-07-25 | N/A | 7.5 HIGH |
| An issue found in Inageya v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Inageya function. | |||||
| CVE-2023-31819 | 1 Livre | 1 Keisei Store | 2023-07-25 | N/A | 7.5 HIGH |
| An issue found in KEISEI STORE Co, Ltd. LIVRE KEISEI v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function. | |||||
| CVE-2023-31820 | 1 Shizutetsu | 1 Shizutetsu Store | 2023-07-25 | N/A | 7.5 HIGH |
| An issue found in Shizutetsu Store v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp function. | |||||
| CVE-2023-31822 | 1 Entetsu | 1 Entetsu Store | 2023-07-25 | N/A | 7.5 HIGH |
| An issue found in Entetsu Store v.13.4.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Entetsu Store function. | |||||
| CVE-2023-30561 | 1 Bd | 2 Alaris 8015 Pcu, Alaris 8015 Pcu Firmware | 2023-07-25 | N/A | 6.1 MEDIUM |
| The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running. | |||||
| CVE-2023-37943 | 1 Jenkins | 1 Active Directory | 2023-07-20 | N/A | 5.9 MEDIUM |
| Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. | |||||
| CVE-2023-37192 | 1 Bitcoin | 1 Bitcoin Core | 2023-07-17 | N/A | 7.5 HIGH |
| Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing. | |||||
| CVE-2021-27764 | 1 Hcltech | 1 Bigfix Webui | 2023-06-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI) | |||||
| CVE-2022-21940 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2023-06-27 | N/A | 6.1 MEDIUM |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | |||||
| CVE-2022-4409 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-06-27 | N/A | 7.5 HIGH |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | |||||
| CVE-2022-24045 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2023-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information. | |||||
| CVE-2022-4683 | 1 Usememos | 1 Memos | 2023-06-23 | N/A | 6.5 MEDIUM |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2023-33849 | 3 Hp, Ibm, Linux | 5 Hp-ux, Aix, Cics Tx and 2 more | 2023-06-15 | N/A | 3.7 LOW |
| IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 could transmit sensitive information in query parameters that could be intercepted using man in the middle techniques. IBM X-Force ID: 257105. | |||||
| CVE-2023-28045 | 1 Dell | 1 Cloudiq Collector | 2023-05-26 | N/A | 7.1 HIGH |
| Dell CloudIQ Collector version 1.10.2 contains a missing encryption of sensitive data vulnerability. An attacker with low privileges could potentially exploit this vulnerability, leading to gain access to unauthorized data. | |||||
| CVE-2019-19090 | 1 Hitachienergy | 1 Esoms | 2023-05-16 | 3.5 LOW | 3.5 LOW |
| For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping. | |||||
| CVE-2023-28841 | 1 Mobyproject | 1 Moby | 2023-04-14 | N/A | 6.8 MEDIUM |
| Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. | |||||
| CVE-2022-38458 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2023-03-28 | N/A | 5.9 MEDIUM |
| A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. | |||||
| CVE-2018-10690 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 4.3 MEDIUM | 8.1 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. | |||||
| CVE-2018-10694 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 4.3 MEDIUM | 8.1 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. | |||||
| CVE-2018-10698 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. | |||||