Total
209 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15771 | 1 Gradle | 2 Enterprise, Enterprise Cache Node | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation. | |||||
CVE-2020-15767 | 1 Gradle | 1 Enterprise | 2021-12-20 | 2.6 LOW | 5.3 MEDIUM |
An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF. | |||||
CVE-2021-37189 | 1 Digi | 12 Transport Wr11, Transport Wr11 Firmware, Transport Wr11 Xt and 9 more | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session. | |||||
CVE-2021-36189 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2021-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data | |||||
CVE-2021-37050 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
There is a Missing sensitive data encryption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
CVE-2019-4471 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2021-12-01 | 4.0 MEDIUM | 6.5 MEDIUM |
IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 163780. | |||||
CVE-2019-13922 | 1 Siemens | 1 Sinema Remote Connect Server | 2021-10-28 | 4.0 MEDIUM | 2.7 LOW |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
CVE-2019-1573 | 1 Paloaltonetworks | 1 Globalprotect | 2021-09-14 | 1.9 LOW | 2.5 LOW |
GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS may allow a local authenticated attacker who has compromised the end-user account and gained the ability to inspect memory, to access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user. | |||||
CVE-2021-22932 | 1 Citrix | 1 Sharefile Storagezones Controller | 2021-08-31 | 5.0 MEDIUM | 7.5 HIGH |
An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled. Customers are only affected by this issue if they previously selected “Enable Encryption” in the ShareFile configuration page and did not re-select this setting after running the CTX269106 mitigation tool. ShareFile customers who have not run the CTX269106 mitigation tool or who re-selected “Enable Encryption” immediately after running the tool are unaffected by this issue. | |||||
CVE-2017-7729 | 1 Ismartalarm | 2 Cubeone, Cubeone Firmware | 2021-08-25 | 5.0 MEDIUM | 7.5 HIGH |
On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext. | |||||
CVE-2021-22782 | 1 Schneider-electric | 3 Ecostruxure Control Expert, Ecostruxure Process Expert, Remoteconnect | 2021-07-26 | 2.1 LOW | 5.5 MEDIUM |
Missing Encryption of Sensitive Data vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause an information leak allowing disclosure of network and process information, credentials or intellectual property when an attacker can access a project file. | |||||
CVE-2019-4704 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
IBM Security Identity Manager Virtual Appliance 7.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 172014. | |||||
CVE-2019-16210 | 1 Broadcom | 1 Brocade Sannav | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
Brocade SANnav versions before v2.0, logs plain text database connection password while triggering support save. | |||||
CVE-2019-7311 | 1 Linksys | 2 Wrt1900acs, Wrt1900acs Firmware | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A lack of encryption in how the user login cookie (admin-auth) is stored on a victim's computer results in the admin password being discoverable by a local attacker, and usable to gain administrative access to the victim's router. The admin password is stored in base64 cleartext in an "admin-auth" cookie. An attacker sniffing the network at the time of login could acquire the router's admin password. Alternatively, gaining physical access to the victim's computer soon after an administrative login could result in compromise. | |||||
CVE-2019-15653 | 1 Comba | 2 Ap2600-i - A02 - 0202n00pd2, Ap2600-i - A02 - 0202n00pd2 Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. The HTML source code of the login page contains values that allow obtaining the username and password. The username are password values are a double md5 of the plaintext real value, i.e., md5(md5(value)). | |||||
CVE-2019-4686 | 1 Ibm | 2 Guardium Data Encryption, Guardium For Cloud Key Management | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 171822. | |||||
CVE-2019-14480 | 1 Adremsoft | 1 Netcrunch | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges. | |||||
CVE-2020-12273 | 1 Testlink | 1 Testlink | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. | |||||
CVE-2019-11664 | 1 Microfocus | 1 Service Manager | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Clear text password in browser in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure. | |||||
CVE-2019-11663 | 1 Microfocus | 1 Service Manager | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure. |