Total
640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-6526 | 1 Moxa | 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more | 2021-11-03 | 5.0 MEDIUM | 9.8 CRITICAL |
| Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password. | |||||
| CVE-2019-19107 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2021-11-03 | 2.1 LOW | 5.5 MEDIUM |
| The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway for user profiles and services transfer the password in plaintext (although hidden when displayed). | |||||
| CVE-2019-5448 | 1 Yarnpkg | 1 Yarn | 2021-11-03 | 4.3 MEDIUM | 8.1 HIGH |
| Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. | |||||
| CVE-2019-3801 | 1 Cloudfoundry | 3 Cf-deployment, Credhub, Uaa Release | 2021-10-29 | 5.0 MEDIUM | 9.8 CRITICAL |
| Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component. | |||||
| CVE-2019-10240 | 1 Eclipse | 1 Hawkbit | 2021-10-28 | 6.8 MEDIUM | 8.1 HIGH |
| Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected. | |||||
| CVE-2021-0296 | 1 Juniper | 1 Ctpview | 2021-10-25 | 5.8 MEDIUM | 7.4 HIGH |
| The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3. | |||||
| CVE-2021-39882 | 1 Gitlab | 1 Gitlab | 2021-10-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | |||||
| CVE-2021-40847 | 1 Netgear | 22 R6400v2, R6400v2 Firmware, R6700 and 19 more | 2021-10-07 | 9.3 HIGH | 8.1 HIGH |
| The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68. | |||||
| CVE-2020-20128 | 1 Laracms Project | 1 Laracms | 2021-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers. | |||||
| CVE-2020-1902 | 1 Whatsapp | 2 Whatsapp, Whatsapp Business | 2021-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| A user running a quick search on a highly forwarded message on WhatsApp for Android from v2.20.108 to v2.20.140 or WhatsApp Business for Android from v2.20.35 to v2.20.49 could have been sent to the Google service over plain HTTP. | |||||
| CVE-2017-9035 | 1 Trendmicro | 1 Serverprotect | 2021-09-09 | 5.8 MEDIUM | 7.4 HIGH |
| Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attackers to eavesdrop and tamper with updates by leveraging unencrypted communications with update servers. | |||||
| CVE-2021-25643 | 1 Couchbase | 1 Couchbase Server | 2021-09-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Couchbase Server 5.x and 6.x before 6.5.2 and 6.6.x before 6.6.2. Internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth, leak credentials in cleartext in the indexer.log file when they make a /listCreateTokens, /listRebalanceTokens, or /listMetadataTokens call. | |||||
| CVE-2021-33883 | 1 Bbraun | 3 Infusomat Large Volume Pump 871305u, Spacecom2, Spacestation 8713142u | 2021-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration. | |||||
| CVE-2021-38373 | 1 Kde | 1 Kmail | 2021-08-20 | 3.5 LOW | 5.3 MEDIUM |
| In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. | |||||
| CVE-2021-29769 | 3 Ibm, Linux, Microsoft | 3 I2 Analyze, Linux Kernel, Windows | 2021-08-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 202769. | |||||
| CVE-2019-19898 | 1 Ixpdata | 1 Easyinstall | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely. | |||||
| CVE-2020-5899 | 1 F5 | 1 Nginx Controller | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code. | |||||
| CVE-2020-35584 | 1 Mersive | 2 Solstice Pod, Solstice Pod Firmware | 2021-07-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the web services and obtain any information the user supplies, including Administrator passwords and screen keys. | |||||
| CVE-2020-15062 | 1 Digitus | 2 Da-70254, Da-70254 Firmware | 2021-07-21 | 3.3 LOW | 8.8 HIGH |
| DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. | |||||
| CVE-2020-15054 | 1 Tp-link | 2 Tl-ps310u, Tl-ps310u Firmware | 2021-07-21 | 3.3 LOW | 8.8 HIGH |
| TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic. | |||||