Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0053 1 Sauter-controls 11 Bacnetstac, Modunet300 Ey-am300f001, Modunet300 Ey-am300f001 Firmware and 8 more 2023-03-09 N/A 7.5 HIGH
SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior have only FTP and Telnet available for device management. Any sensitive information communicated through these protocols, such as credentials, is sent in cleartext. An attacker could obtain sensitive information such as user credentials to gain access to the system.
CVE-2023-23915 1 Haxx 1 Curl 2023-03-09 N/A 6.5 MEDIUM
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVE-2023-23914 1 Haxx 1 Curl 2023-03-09 N/A 9.1 CRITICAL
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
CVE-2019-10427 1 Jenkins 1 Aqua Microscanner 2023-02-28 5.0 MEDIUM 5.3 MEDIUM
Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2019-10428 1 Jenkins 1 Aqua Security Scanner 2023-02-28 5.0 MEDIUM 7.5 HIGH
Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2019-13498 1 Oneidentity 1 Cloud Access Manager 2023-02-28 5.8 MEDIUM 7.4 HIGH
One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.
CVE-2023-22806 1 Ls-electric 2 Xbc-dn32u, Xbc-dn32u Firmware 2023-02-24 N/A 7.5 HIGH
LS ELECTRIC XBC-DN32U with operating system version 01.80 transmits sensitive information in cleartext when communicating over its XGT protocol. This could allow an attacker to gain sensitive information such as user credentials.
CVE-2022-45546 1 Screencheck 1 Badgemaker 2023-02-22 N/A 7.5 HIGH
Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing.
CVE-2019-10412 1 Jenkins 1 Inedo Proget 2023-02-22 5.0 MEDIUM 7.5 HIGH
Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2019-10411 1 Jenkins 1 Inedo Buildmaster 2023-02-22 5.0 MEDIUM 7.5 HIGH
Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2023-0001 2 Microsoft, Paloaltonetworks 2 Windows, Cortex Xdr Agent 2023-02-18 N/A 6.7 MEDIUM
An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.
CVE-2022-40693 1 Moxa 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more 2023-02-16 N/A 7.5 HIGH
A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
CVE-2023-25016 1 Couchbase 1 Couchbase Server 2023-02-14 N/A 7.5 HIGH
Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.
CVE-2019-6613 1 F5 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more 2023-02-10 5.0 MEDIUM 5.3 MEDIUM
On BIG-IP 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, SNMP may expose sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is used with various profile types and is accessed using SNMPv2.
CVE-2022-42916 3 Apple, Fedoraproject, Haxx 3 Macos, Fedora, Curl 2023-02-10 N/A 7.5 HIGH
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
CVE-2023-23130 1 Connectwise 1 Automate 2023-02-08 N/A 5.9 MEDIUM
** DISPUTED ** Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting.
CVE-2023-24440 1 Jenkins 1 Jira Pipeline Steps 2023-02-03 N/A 5.5 MEDIUM
Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
CVE-2019-4162 1 Ibm 1 Security Information Queue 2023-02-03 5.0 MEDIUM 7.5 HIGH
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM X-Force ID: 158661.
CVE-2019-6640 1 F5 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more 2023-02-03 5.0 MEDIUM 5.3 MEDIUM
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.
CVE-2019-4063 1 Ibm 1 Sterling B2b Integrator 2023-02-03 4.3 MEDIUM 5.9 MEDIUM
IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 Standard Edition could allow highly sensitive information to be transmitted in plain text. An attacker could obtain this information using man in the middle techniques. IBM X-ForceID: 157008.