Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-311
Total 209 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-15343 1 Zyxel 1 Cloudcnm Secumanager 2022-10-27 N/A 5.3 MEDIUM
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API.
CVE-2020-15342 1 Zyxel 1 Cloudcnm Secumanager 2022-10-27 N/A 5.3 MEDIUM
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API.
CVE-2020-15340 1 Zyxel 1 Cloudcnm Secumanager 2022-10-27 N/A 7.5 HIGH
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key.
CVE-2020-15345 1 Zyxel 1 Cloudcnm Secumanager 2022-10-27 N/A 5.3 MEDIUM
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API.
CVE-2020-15346 1 Zyxel 1 Cloudcnm Secumanager 2022-10-27 N/A 5.3 MEDIUM
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API with the CLOUDCNM key.
CVE-2021-35236 1 Solarwinds 1 Kiwi Syslog Server 2022-10-27 5.0 MEDIUM 5.3 MEDIUM
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.
CVE-2021-3882 1 Ledgersmb 1 Ledgersmb 2022-10-27 4.0 MEDIUM 6.8 MEDIUM
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command.
CVE-2022-35860 1 Corsair 2 K63, K63 Firmware 2022-10-21 N/A 6.8 MEDIUM
Missing AES encryption in Corsair K63 Wireless 3.1.3 allows physically proximate attackers to inject and sniff keystrokes via 2.4 GHz radio transmissions.
CVE-2019-6169 1 Lenovo 8 Ideacentre, Ideapad, Service Bridge and 5 more 2022-10-13 5.0 MEDIUM 7.5 HIGH
A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow unencrypted downloads over FTP.
CVE-2022-39014 1 Sap 1 Businessobjects Business Intelligence Platform 2022-09-30 N/A 5.3 MEDIUM
Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted.
CVE-2020-8173 1 Nextcloud 1 Nextcloud Server 2022-09-27 3.5 LOW 2.2 LOW
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
CVE-2022-3250 1 Ikus-soft 1 Rdiffweb 2022-09-23 N/A 5.3 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.
CVE-2022-3251 1 Ikus-soft 1 Minarca 2022-09-23 N/A 5.3 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2.
CVE-2022-3174 1 Ikus-soft 1 Rdiffweb 2022-09-15 N/A 7.5 HIGH
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
CVE-2022-26390 1 Baxter 8 Baxter Spectrum Iq 35700bax3, Baxter Spectrum Iq 35700bax3 Firmware, Sigma Spectrum 35700bax and 5 more 2022-09-15 N/A 4.2 MEDIUM
The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.
CVE-2022-38194 1 Esri 1 Portal For Arcgis 2022-08-17 N/A 5.5 MEDIUM
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVE-2021-21963 1 Sealevel 2 Seaconnect 370w, Seaconnect 370w Firmware 2022-07-29 4.3 MEDIUM 5.9 MEDIUM
An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
CVE-2022-20219 1 Google 1 Android 2022-07-21 2.1 LOW 5.5 MEDIUM
In multiple functions of StorageManagerService.java and UserManagerService.java, there is a possible way to leave user's directories unencrypted due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224585613
CVE-2015-3207 1 Openshift 1 Origin 2022-07-14 5.0 MEDIUM 5.3 MEDIUM
In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.
CVE-2021-38977 3 Ibm, Linux, Microsoft 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more 2022-07-12 4.3 MEDIUM 4.3 MEDIUM
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782.