Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 413 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-39272 2 Fedoraproject, Fetchmail 2 Fedora, Fetchmail 2022-09-25 4.3 MEDIUM 5.9 MEDIUM
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2022-38846 1 Espocrm 1 Espocrm 2022-09-16 N/A 5.9 MEDIUM
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
CVE-2021-42948 1 Digitaldruid 1 Hoteldruid 2022-09-16 N/A 3.7 LOW
HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.
CVE-2022-30312 1 Honeywell 10 Trend Iq411, Trend Iq411 Firmware, Trend Iq412 and 7 more 2022-09-16 N/A 6.5 MEDIUM
The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.
CVE-2022-34371 1 Dell 1 Emc Powerscale Onefs 2022-09-08 N/A 9.8 CRITICAL
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3, contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker could potentially exploit this vulnerability, leading to full system compromise.
CVE-2022-2003 1 Automationdirect 18 D0-06aa, D0-06aa Firmware, D0-06ar and 15 more 2022-09-06 N/A 9.1 CRITICAL
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;
CVE-2022-2005 1 Automationdirect 24 C-more Ea9-pgmsw, C-more Ea9-pgmsw Firmware, C-more Ea9-rhmi and 21 more 2022-09-06 N/A 7.5 HIGH
AutomationDirect C-more EA9 HTTP webserver uses an insecure mechanism to transport credentials from client to web server, which may allow an attacker to obtain the login credentials and login as a valid user. This issue affects: AutomationDirect C-more EA9 EA9-T6CL versions prior to 6.73; EA9-T6CL-R versions prior to 6.73; EA9-T7CL versions prior to 6.73; EA9-T7CL-R versions prior to 6.73; EA9-T8CL versions prior to 6.73; EA9-T10CL versions prior to 6.73; EA9-T10WCL versions prior to 6.73; EA9-T12CL versions prior to 6.73; EA9-T15CL versions prior to 6.73; EA9-RHMI versions prior to 6.73; EA9-PGMSW versions prior to 6.73;
CVE-2022-2485 1 Automationdirect 20 Sio-mb04ads, Sio-mb04ads Firmware, Sio-mb04das and 17 more 2022-09-06 N/A 7.5 HIGH
Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.
CVE-2022-36200 1 Fiberhome 2 Hg150-ub, Hg150-ub Firmware 2022-09-02 N/A 7.5 HIGH
In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed.
CVE-2021-22946 7 Apple, Debian, Fedoraproject and 4 more 33 Macos, Debian Linux, Fedora and 30 more 2022-08-28 5.0 MEDIUM 7.5 HIGH
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
CVE-2021-3590 2 Redhat, Theforeman 2 Satellite, Foreman 2022-08-26 N/A 8.8 HIGH
A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2022-32245 1 Sap 1 Businessobjects Business Intelligence 2022-08-19 N/A 8.2 HIGH
SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application.
CVE-2022-2338 1 Softing 6 Edgeaggregator, Edgeconnector, Opc and 3 more 2022-08-19 N/A 5.3 MEDIUM
Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may be captured for use in authenticating to the server.
CVE-2022-20243 1 Google 1 Android 2022-08-12 N/A 4.4 MEDIUM
In Core Utilities, there is a possible log information disclosure. This could lead to local information disclosure of sensitive browsing data with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-190199986
CVE-2022-33724 1 Google 1 Android 2022-08-11 N/A 3.3 LOW
Exposure of Sensitive Information in Samsung Dialer application?prior to SMR Aug-2022 Release 1 allows local attackers to access ICCID via log.
CVE-2021-40366 1 Siemens 2 Climatix Pol909, Climatix Pol909 Firmware 2022-08-09 5.8 MEDIUM 7.4 HIGH
A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit.
CVE-2022-27619 1 Synology 1 Note Station 2022-08-09 N/A 5.9 MEDIUM
Cleartext transmission of sensitive information vulnerability in authentication management in Synology Note Station Client before 2.2.2-609 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
CVE-2022-31204 1 Omron 15 Cp1w-cif41, Cp1w-cif41 Firmware, Cx-programmer and 12 more 2022-08-04 N/A 7.5 HIGH
Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.
CVE-2022-28861 2 Axis, Citilog 2 M1125, Citilog 2022-07-29 N/A 5.9 MEDIUM
The server in Citilog 8.0 allows an attacker (in a man in the middle position between the server and its smart camera Axis M1125) to see FTP credentials in a cleartext HTTP traffic. These can be used for FTP access to the server.
CVE-2021-20623 1 Panasonic 1 Video Insight Vms 2022-07-12 10.0 HIGH 9.8 CRITICAL
Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request.