Total
624 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4280 | 1 Ibm | 1 Sterling File Gateway | 2022-12-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 displays sensitive information in HTTP requests which could be used in further attacks against the system. IBM X-Force ID: 160503. | |||||
| CVE-2022-45478 | 1 Telepad-app | 1 Telepad | 2022-12-08 | N/A | 5.9 MEDIUM |
| Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||
| CVE-2022-45480 | 1 Beappsmobile | 1 Pc Keyboard Wifi \& Bluetooth | 2022-12-05 | N/A | 5.9 MEDIUM |
| PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||
| CVE-2022-45483 | 1 Lazy Mouse Project | 1 Lazy Mouse | 2022-12-05 | N/A | 5.9 MEDIUM |
| Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||
| CVE-2022-39339 | 1 Nextcloud | 1 Openid Connect User Backend | 2022-12-01 | N/A | 4.3 MEDIUM |
| user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings). | |||||
| CVE-2022-44411 | 1 Web Based Quiz System Project | 1 Web Based Quiz System | 2022-11-29 | N/A | 7.5 HIGH |
| Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack. | |||||
| CVE-2022-43691 | 1 Concretecms | 1 Concrete Cms | 2022-11-17 | N/A | 5.3 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | |||||
| CVE-2021-38828 | 1 Xiongmaitech | 2 Xm-jpr2-lx, Xm-jpr2-lx Firmware | 2022-11-16 | N/A | 5.3 MEDIUM |
| Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to plain-text traffic sniffing. | |||||
| CVE-2022-38122 | 1 Upspowercom | 1 Upsmon Pro | 2022-11-15 | N/A | 7.5 HIGH |
| UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data. | |||||
| CVE-2022-41636 | 1 Haascnc | 1 Haas Controller | 2022-11-01 | N/A | 7.5 HIGH |
| Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. This allows an attacker to obtain sensitive information being passed to and from the controller. | |||||
| CVE-2021-44518 | 1 Digipas | 1 Egeetouch Manager | 2022-10-27 | 2.9 LOW | 6.8 MEDIUM |
| An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication. | |||||
| CVE-2021-33900 | 1 Apache | 1 Directory Studio | 2022-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions. | |||||
| CVE-2022-32245 | 1 Sap | 1 Businessobjects Business Intelligence | 2022-10-26 | N/A | 8.2 HIGH |
| SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application. | |||||
| CVE-2021-27422 | 1 Ge | 38 Multilin B30, Multilin B30 Firmware, Multilin B90 and 35 more | 2022-10-24 | 5.0 MEDIUM | 7.5 HIGH |
| GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication. | |||||
| CVE-2022-41983 | 1 F5 | 19 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 16 more | 2022-10-24 | N/A | 3.7 LOW |
| On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied. | |||||
| CVE-2020-26197 | 1 Dell | 1 Emc Powerscale Onefs | 2022-10-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider. | |||||
| CVE-2022-39287 | 1 Tiny-csrf Project | 1 Tiny-csrf | 2022-10-11 | N/A | 6.5 MEDIUM |
| tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2020-13528 | 1 Lantronix | 2 Xport Edge, Xport Edge Firmware | 2022-10-05 | 2.6 LOW | 5.3 MEDIUM |
| An information disclosure vulnerability exists in the Web Manager and telnet CLI functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause information disclosure. An attacker can sniff the network to trigger this vulnerability. | |||||
| CVE-2022-38846 | 1 Espocrm | 1 Espocrm | 2022-09-17 | N/A | 5.9 MEDIUM |
| EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | |||||
| CVE-2021-42948 | 1 Digitaldruid | 1 Hoteldruid | 2022-09-17 | N/A | 3.7 LOW |
| HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's. | |||||