Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-12813 1 Crossmatch 2 Digital Persona U.are.u 4500, Digital Persona U.are.u 4500 Firmware 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device transfers a fingerprint image to the driver. An attacker who sniffs an encrypted fingerprint image can easily decrypt that image using the key and salt.
CVE-2020-4597 2 Ibm, Linux 2 Security Guardium Insights, Linux Kernel 2021-07-21 4.3 MEDIUM 4.3 MEDIUM
IBM Security Guardium Insights 2.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 184822.
CVE-2019-10250 2 Microsoft, Ucweb 2 Windows, Uc Browser 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
UCWeb UC Browser 7.0.185.1002 on Windows uses HTTP for downloading certain PDF modules, which allows MITM attacks.
CVE-2019-16067 1 Netsas 1 Enigma Network Management Solution 2021-07-21 5.0 MEDIUM 7.5 HIGH
NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over cleartext protocols can allow an attacker to steal username and password combinations by intercepting authentication traffic in transit.
CVE-2019-16063 1 Netsas 1 Enigma Network Management Solution 2021-07-21 5.0 MEDIUM 7.5 HIGH
NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. It is possible for an attacker to expose unencrypted sensitive data.
CVE-2019-14959 1 Jetbrains 1 Toolbox 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
CVE-2019-14954 1 Jetbrains 1 Intellij Idea 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
CVE-2020-5860 1 F5 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more 2021-07-21 6.8 MEDIUM 8.1 HIGH
On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS).
CVE-2020-9477 1 Humaxdigital 2 Hga12r-02, Hga12r-02 Firmware 2021-07-21 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered on HUMAX HGA12R-02 BRGCAA 1.1.53 devices. A vulnerability in the authentication functionality in the web-based interface could allow an unauthenticated remote attacker to capture packets at the time of authentication and gain access to the cleartext password. An attacker could use this access to create a new user account or control the device.
CVE-2020-9526 1 Cs2-network 1 P2p 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2019-14808 1 Renpho 1 Renpho 2021-07-21 4.0 MEDIUM 6.8 MEDIUM
An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).
CVE-2020-7907 1 Jetbrains 1 Scala 2021-07-21 5.0 MEDIUM 7.5 HIGH
In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections.
CVE-2019-13394 1 Netgear 2 Cg3700b, Cg3700b Firmware 2021-07-21 5.0 MEDIUM 9.8 CRITICAL
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
CVE-2020-6198 1 Sap 1 Solution Manager 2021-07-21 7.5 HIGH 9.8 CRITICAL
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check.
CVE-2020-6195 1 Sap 1 Businessobjects Business Intelligence Platform 2021-07-21 5.0 MEDIUM 9.8 CRITICAL
SAP Business Objects Business Intelligence Platform (CMC), version 4.1, 4.2, shows cleartext password in the response, leading to Information Disclosure. It involves social engineering in order to gain access to system and If password is known, it would give administrative rights to the attacker to read/modify delete the data and rights within the system.
CVE-2020-5899 1 F5 1 Nginx Controller 2021-07-21 4.6 MEDIUM 7.8 HIGH
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address of another registered user then retrieve the recovery code.
CVE-2020-29005 1 Mediawiki 1 Mediawiki 2021-07-21 5.0 MEDIUM 7.5 HIGH
The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.
CVE-2020-5893 1 F5 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client 2021-07-21 4.3 MEDIUM 3.7 LOW
In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes for captive portal detection.
CVE-2019-12504 1 Inateck 2 Wp2002, Wp2002 Firmware 2021-07-21 8.3 HIGH 8.8 HIGH
Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
CVE-2020-29380 1 Vsolcn 10 V1600d, V1600d-mini, V1600d-mini Firmware and 7 more 2021-07-21 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-the-middle attack on the management of the appliance.