Total
456 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0053 | 1 Sauter-controls | 11 Bacnetstac, Modunet300 Ey-am300f001, Modunet300 Ey-am300f001 Firmware and 8 more | 2023-03-09 | N/A | 7.5 HIGH |
| SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior have only FTP and Telnet available for device management. Any sensitive information communicated through these protocols, such as credentials, is sent in cleartext. An attacker could obtain sensitive information such as user credentials to gain access to the system. | |||||
| CVE-2023-23915 | 1 Haxx | 1 Curl | 2023-03-09 | N/A | 6.5 MEDIUM |
| A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. | |||||
| CVE-2023-23914 | 1 Haxx | 1 Curl | 2023-03-09 | N/A | 9.1 CRITICAL |
| A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. | |||||
| CVE-2019-10427 | 1 Jenkins | 1 Aqua Microscanner | 2023-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-10428 | 1 Jenkins | 1 Aqua Security Scanner | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-13498 | 1 Oneidentity | 1 Cloud Access Manager | 2023-02-28 | 5.8 MEDIUM | 7.4 HIGH |
| One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4. | |||||
| CVE-2023-22806 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2023-02-24 | N/A | 7.5 HIGH |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 transmits sensitive information in cleartext when communicating over its XGT protocol. This could allow an attacker to gain sensitive information such as user credentials. | |||||
| CVE-2022-45546 | 1 Screencheck | 1 Badgemaker | 2023-02-22 | N/A | 7.5 HIGH |
| Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing. | |||||
| CVE-2019-10412 | 1 Jenkins | 1 Inedo Proget | 2023-02-22 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-10411 | 1 Jenkins | 1 Inedo Buildmaster | 2023-02-22 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2023-0001 | 2 Microsoft, Paloaltonetworks | 2 Windows, Cortex Xdr Agent | 2023-02-18 | N/A | 6.7 MEDIUM |
| An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. | |||||
| CVE-2022-40693 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2023-02-16 | N/A | 7.5 HIGH |
| A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | |||||
| CVE-2023-25016 | 1 Couchbase | 1 Couchbase Server | 2023-02-14 | N/A | 7.5 HIGH |
| Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor. | |||||
| CVE-2019-6613 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2023-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| On BIG-IP 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, SNMP may expose sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is used with various profile types and is accessed using SNMPv2. | |||||
| CVE-2022-42916 | 3 Apple, Fedoraproject, Haxx | 3 Macos, Fedora, Curl | 2023-02-10 | N/A | 7.5 HIGH |
| In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. | |||||
| CVE-2023-23130 | 1 Connectwise | 1 Automate | 2023-02-08 | N/A | 5.9 MEDIUM |
| ** DISPUTED ** Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | |||||
| CVE-2023-24440 | 1 Jenkins | 1 Jira Pipeline Steps | 2023-02-03 | N/A | 5.5 MEDIUM |
| Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-4162 | 1 Ibm | 1 Security Information Queue | 2023-02-03 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM X-Force ID: 158661. | |||||
| CVE-2019-6640 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2023-02-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2. | |||||
| CVE-2019-4063 | 1 Ibm | 1 Sterling B2b Integrator | 2023-02-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 Standard Edition could allow highly sensitive information to be transmitted in plain text. An attacker could obtain this information using man in the middle techniques. IBM X-ForceID: 157008. | |||||