Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-311
Total 209 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-38977 3 Ibm, Linux, Microsoft 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more 2022-07-12 4.3 MEDIUM 4.3 MEDIUM
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782.
CVE-2021-40650 1 Softwareag 1 Connx 2022-06-22 4.3 MEDIUM 6.5 MEDIUM
In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set.
CVE-2022-30237 1 Schneider-electric 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more 2022-06-13 5.0 MEDIUM 7.5 HIGH
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
CVE-2022-21951 1 Suse 1 Rancher 2022-06-09 3.6 LOW 6.8 MEDIUM
A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5.
CVE-2021-27779 1 Hcltech 1 Versionvault Express 2022-06-08 6.4 MEDIUM 9.1 CRITICAL
VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.
CVE-2021-27783 1 Hcltech 2 Bigfix Mobile, Bigfix Modern Client Management 2022-06-07 4.0 MEDIUM 6.5 MEDIUM
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
CVE-2022-24045 1 Siemens 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more 2022-06-01 4.0 MEDIUM 6.5 MEDIUM
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.
CVE-2020-8150 1 Nextcloud 1 Nextcloud Server 2022-05-24 1.9 LOW 4.1 MEDIUM
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
CVE-2021-27764 1 Hcltech 1 Bigfix Webui 2022-05-18 4.3 MEDIUM 6.5 MEDIUM
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)
CVE-2022-29945 1 Dji 22 Air 2, Air 2 Firmware, Air 2s and 19 more 2022-05-13 5.0 MEDIUM 7.5 HIGH
DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol.
CVE-2017-5042 6 Apple, Debian, Google and 3 more 9 Macos, Debian Linux, Android and 6 more 2022-04-22 3.3 LOW 5.7 MEDIUM
Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.
CVE-2021-33020 1 Philips 4 Myvue, Speech, Vue Motion and 1 more 2022-04-08 5.0 MEDIUM 7.5 HIGH
Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
CVE-2022-27225 1 Gradle 1 Enterprise 2022-03-22 4.3 MEDIUM 6.5 MEDIUM
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.
CVE-2020-7567 1 Schneider-electric 2 Modicon M221, Modicon M221 Firmware 2022-02-04 2.9 LOW 5.7 MEDIUM
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine - Basic software and Modicon M221 controller and broke the encryption keys.
CVE-2022-0183 1 Kingjim 4 Mirupass Pw10, Mirupass Pw10 Firmware, Mirupass Pw20 and 1 more 2022-01-26 2.1 LOW 4.6 MEDIUM
Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords.
CVE-2022-23116 1 Jenkins 1 Conjur Secrets 2022-01-18 5.0 MEDIUM 7.5 HIGH
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.
CVE-2020-9057 2 Linear, Silabs 5 Wadwaz-1, Wapirz-1, 100 Series Firmware and 2 more 2022-01-18 8.3 HIGH 8.8 HIGH
Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption, allowing an attacker within radio range to take control of or cause a denial of service to a vulnerable device. An attacker can also capture and replay Z-Wave traffic. Firmware upgrades cannot directly address this vulnerability as it is an issue with the Z-Wave specification for these legacy chipsets. One way to protect against this vulnerability is to use 500 or 700 series chipsets that support Security 2 (S2) encryption. As examples, the Linear WADWAZ-1 version 3.43 and WAPIRZ-1 version 3.43 (with 300 series chipsets) are vulnerable.
CVE-2020-9058 4 Dome, Jasco, Linear and 1 more 4 Dm501, Zw4201, Lb60z-1 and 1 more 2022-01-18 4.8 MEDIUM 8.1 HIGH
Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation, including but likely not limited to the Linear LB60Z-1 version 3.5, Dome DM501 version 4.26, and Jasco ZW4201 version 4.05, do not implement encryption or replay protection.
CVE-2021-40148 1 Mediatek 53 L9, Lr11, Lr12 and 50 more 2022-01-14 5.0 MEDIUM 7.5 HIGH
In Modem EMM, there is a possible information disclosure due to a missing data encryption. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00716585; Issue ID: ALPS05886933.
CVE-2019-16206 1 Broadcom 1 Brocade Sannav 2022-01-01 2.1 LOW 5.5 MEDIUM
The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information.