Total
624 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4899 | 1 Ibm | 1 Api Connect | 2021-01-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. IBM X-Force ID: 190990. | |||||
| CVE-2018-19944 | 1 Qnap | 1 Qts | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later) | |||||
| CVE-2020-11718 | 1 Bilanc | 1 Bilanc | 2020-12-23 | 5.8 MEDIUM | 7.4 HIGH |
| An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP. | |||||
| CVE-2020-25190 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2020-12-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext. | |||||
| CVE-2020-14248 | 1 Hcltech | 1 Bigfix Platform | 2020-12-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2020-5426 | 1 Vmware | 1 Pivotal Scheduler | 2020-12-01 | 4.3 MEDIUM | 9.8 CRITICAL |
| Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. This also depended on the configuration of the MySQL server which is used to cache a UAA client token used by the service. If intercepted the token can give an attacker admin level access in the cloud controller. | |||||
| CVE-2020-27586 | 1 Quickheal | 1 Total Security | 2020-12-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Quick Heal Total Security before version 19.0 transmits quarantine and sysinfo files via clear text. | |||||
| CVE-2020-25155 | 1 Nexcom | 2 Nio 50, Nio 50 Firmware | 2020-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions). | |||||
| CVE-2005-2069 | 2 Openldap, Padl | 3 Openldap, Nss Ldap, Pam Ldap | 2020-11-16 | 5.0 MEDIUM | N/A |
| pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | |||||
| CVE-2020-27656 | 1 Synology | 1 Diskstation Manager | 2020-11-03 | 4.3 MEDIUM | 3.7 LOW |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2020-27657 | 1 Synology | 1 Router Manager | 2020-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2020-7744 | 2 Google, Mintegral | 2 Android, Mintegraladsdk | 2020-10-29 | 4.3 MEDIUM | 4.7 MEDIUM |
| This affects all versions of package com.mintegral.msdk:alphab. The Android SDK distributed by the company contains malicious functionality in this module that tracks: 1. Downloads from Google urls either within Google apps or via browser including file downloads, e-mail attachments and Google Docs links. 2. All apk downloads, either organic or not. Mintegral listens to download events in Android's download manager and detects if the downloaded file's url contains: a. google.com or comes from a Google app (the com.android.vending package) b. Ends with .apk for apk downloads In both cases, the module sends the captured data back to Mintegral's servers. Note that the malicious functionality keeps running even if the app is currently not in focus (running in the background). | |||||
| CVE-2019-3793 | 1 Pivotal Software | 1 Application Service | 2020-10-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests. | |||||
| CVE-2019-5635 | 1 Belwith-keeler | 2 Hickory Smart Ethernet Bridge, Hickory Smart Ethernet Bridge Firmware | 2020-10-16 | 5.0 MEDIUM | 7.5 HIGH |
| A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information. | |||||
| CVE-2019-11276 | 1 Pivotal Software | 1 Application Service | 2020-10-16 | 4.8 MEDIUM | 5.4 MEDIUM |
| Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged. | |||||
| CVE-2020-25748 | 1 Rubetek | 6 Rv-3406, Rv-3406 Firmware, Rv-3409 and 3 more | 2020-10-08 | 6.8 MEDIUM | 8.1 HIGH |
| A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP servers and force the camera to use the changed values. | |||||
| CVE-2019-12506 | 1 Logitech | 2 R700 Laser Presentation Remote, R700 Laser Presentation Remote Firmware | 2020-08-24 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-11739 | 1 Mozilla | 1 Thunderbird | 2020-08-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 68.1 and Thunderbird < 60.9. | |||||
| CVE-2019-4594 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2020-08-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-ForceID: 167810. | |||||
| CVE-2018-11422 | 1 Moxa | 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. Any commands (including device reboot, configuration download or upload, or firmware upgrade) are accepted and executed by the device without authentication. | |||||