Total
446 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27783 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2022-06-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed. | |||||
| CVE-2020-8150 | 1 Nextcloud | 1 Nextcloud Server | 2022-05-24 | 1.9 LOW | 4.1 MEDIUM |
| A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. | |||||
| CVE-2022-27225 | 1 Gradle | 1 Enterprise | 2022-03-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS. | |||||
| CVE-2020-7567 | 1 Schneider-electric | 2 Modicon M221, Modicon M221 Firmware | 2022-02-04 | 2.9 LOW | 5.7 MEDIUM |
| A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke the encryption keys. | |||||
| CVE-2022-0183 | 1 Kingjim | 4 Mirupass Pw10, Mirupass Pw10 Firmware, Mirupass Pw20 and 1 more | 2022-01-26 | 2.1 LOW | 4.6 MEDIUM |
| Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords. | |||||
| CVE-2020-9057 | 2 Linear, Silabs | 5 Wadwaz-1, Wapirz-1, 100 Series Firmware and 2 more | 2022-01-18 | 8.3 HIGH | 8.8 HIGH |
| Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption, allowing an attacker within radio range to take control of or cause a denial of service to a vulnerable device. An attacker can also capture and replay Z-Wave traffic. Firmware upgrades cannot directly address this vulnerability as it is an issue with the Z-Wave specification for these legacy chipsets. One way to protect against this vulnerability is to use 500 or 700 series chipsets that support Security 2 (S2) encryption. As examples, the Linear WADWAZ-1 version 3.43 and WAPIRZ-1 version 3.43 (with 300 series chipsets) are vulnerable. | |||||
| CVE-2020-9058 | 4 Dome, Jasco, Linear and 1 more | 4 Dm501, Zw4201, Lb60z-1 and 1 more | 2022-01-18 | 4.8 MEDIUM | 8.1 HIGH |
| Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection. | |||||
| CVE-2019-16206 | 1 Broadcom | 1 Brocade Sannav | 2022-01-01 | 2.1 LOW | 5.5 MEDIUM |
| The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information. | |||||
| CVE-2020-10273 | 4 Aliasrobotics, Enabled-robotics, Mobile-industrial-robotics and 1 more | 20 Mir100, Mir1000, Mir1000 Firmware and 17 more | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data. | |||||
| CVE-2020-15771 | 1 Gradle | 2 Enterprise, Enterprise Cache Node | 2021-12-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation. | |||||
| CVE-2020-15767 | 1 Gradle | 1 Enterprise | 2021-12-21 | 2.6 LOW | 5.3 MEDIUM |
| An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF. | |||||
| CVE-2020-10267 | 1 Universal-robots | 4 Ur10, Ur3, Ur5 and 1 more | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property. | |||||
| CVE-2020-10124 | 1 Ncr | 2 Aptra Xfs, Selfserv Atm | 2021-12-20 | 4.4 MEDIUM | 7.1 HIGH |
| NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery. | |||||
| CVE-2021-37189 | 1 Digi | 12 Transport Wr11, Transport Wr11 Firmware, Transport Wr11 Xt and 9 more | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session. | |||||
| CVE-2021-36189 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2021-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data | |||||
| CVE-2021-37050 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Missing sensitive data encryption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2019-4471 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 163780. | |||||
| CVE-2020-12032 | 1 Baxter | 4 Em1200, Em1200 Firmware, Em2400 and 1 more | 2021-11-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI. | |||||
| CVE-2019-6526 | 1 Moxa | 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more | 2021-11-03 | 5.0 MEDIUM | 9.8 CRITICAL |
| Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password. | |||||
| CVE-2019-5448 | 1 Yarnpkg | 1 Yarn | 2021-11-03 | 4.3 MEDIUM | 8.1 HIGH |
| Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. | |||||