Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-16225 2 Qbeecam, Swisscom 4 Qbee Multi-sensor Camera, Qbee Multi-sensor Camera Firmware, Qbeecam and 1 more 2020-08-24 6.1 MEDIUM 6.5 MEDIUM
The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera.
CVE-2020-2232 1 Jenkins 1 Email Extension 2020-08-13 5.0 MEDIUM 7.5 HIGH
Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure.
CVE-2020-15954 2 Debian, Kde 2 Debian Linux, Kmail 2020-07-30 4.3 MEDIUM 6.5 MEDIUM
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
CVE-2020-4397 1 Ibm 1 Verify Gateway 2020-07-24 4.3 MEDIUM 5.9 MEDIUM
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 transmits sensitive information in plain text which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 179428.
CVE-2020-3442 1 Duo 1 Duoconnect 2020-07-24 2.9 LOW 5.7 MEDIUM
The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.
CVE-2020-7592 1 Siemens 9 Simatic Hmi Basic Panels 1st Generation, Simatic Hmi Basic Panels 2nd Generation, Simatic Hmi Comfort Panels and 6 more 2020-07-22 3.3 LOW 6.5 MEDIUM
A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic (All versions), SIMATIC HMI Mobile Panels 2nd Generation (All versions), SIMATIC WinCC Runtime Advanced (All versions). Unencrypted communication between the configuration software and the respective device could allow an attacker to capture potential plain text communication and have access to sensitive information.
CVE-2020-12048 1 Baxter 2 Phoenix X36, Phoenix X36 Firmware 2020-07-16 5.0 MEDIUM 7.5 HIGH
Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.
CVE-2020-14171 1 Atlassian 1 Bitbucket 2020-07-15 5.8 MEDIUM 6.5 MEDIUM
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
CVE-2020-12037 1 Baxter 4 Prismaflex, Prismaflex Firmware, Prismax and 1 more 2020-07-14 5.0 MEDIUM 7.5 HIGH
Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.
CVE-2020-12036 1 Baxter 4 Prismaflex, Prismaflex Firmware, Prismax and 1 more 2020-07-14 5.0 MEDIUM 7.5 HIGH
Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.
CVE-2020-12040 1 Baxter 2 Sigma Spectrum Infusion System, Sigma Spectrum Infusion System Firmware 2020-07-09 5.0 MEDIUM 9.8 CRITICAL
Sigma Spectrum Infusion System v's6.x (model 35700BAX) and Baxter Spectrum Infusion System Version(s) 8.x (model 35700BAX2) at the application layer uses an unauthenticated clear-text communication channel to send and receive system status and operational data. This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack.
CVE-2020-2210 1 Jenkins 1 Stash Branch Parameter 2020-07-08 4.3 MEDIUM 4.3 MEDIUM
Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
CVE-2020-12008 1 Baxter 4 Em1200, Em1200 Firmware, Em2400 and 1 more 2020-07-08 5.0 MEDIUM 7.5 HIGH
Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems use cleartext messages to communicate order information with an order entry system. This could allow an attacker with network access to view sensitive data including PHI.
CVE-2020-10628 1 Honeywell 4 Controledge Plc, Controledge Plc Firmware, Controledge Rtu and 1 more 2020-07-07 5.0 MEDIUM 7.5 HIGH
ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R140, R150, and R151) exposes unencrypted passwords on the network.
CVE-2020-10624 1 Honeywell 4 Controledge Plc, Controledge Plc Firmware, Controledge Rtu and 1 more 2020-07-07 5.0 MEDIUM 7.5 HIGH
ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R140, R150, and R151) exposes a session token on the network.
CVE-2020-5594 1 Mitsubishielectric 10 Melsec-fx, Melsec-fx Firmware, Melsec-l and 7 more 2020-07-01 7.5 HIGH 9.8 CRITICAL
Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules all versions contain a vulnerability that allows cleartext transmission of sensitive information between CPU modules and GX Works3 and/or GX Works2 via unspecified vectors.
CVE-2020-2013 1 Paloaltonetworks 1 Pan-os 2020-05-18 6.8 MEDIUM 8.8 HIGH
A cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS Panorama that discloses an authenticated PAN-OS administrator's PAN-OS session cookie. When an administrator issues a context switch request into a managed firewall with an affected PAN-OS Panorama version, their PAN-OS session cookie is transmitted over cleartext to the firewall. An attacker with the ability to intercept this network traffic between the firewall and Panorama can access the administrator's account and further manipulate devices managed by Panorama. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; PAN-OS 9.1 versions earlier than 9.1.1; All version of PAN-OS 8.0;
CVE-2020-4092 1 Hcltech 1 Hcl Nomad 2020-05-12 5.0 MEDIUM 5.3 MEDIUM
"If port encryption is not enabled on the Domino Server, HCL Nomad on Android and iOS Platforms will communicate in clear text and does not currently have a user interface option to change the setting to request an encrypted communication channel with the Domino server. This can potentially expose sensitive information including but not limited to server names, user IDs and document content."
CVE-2011-3022 1 Google 1 Chrome 2020-04-16 5.0 MEDIUM N/A
translate/translate_manager.cc in Google Chrome before 17.0.963.56 and 19.x before 19.0.1036.7 uses an HTTP session to exchange data for translation, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2020-6997 1 Moxa 4 Eds-510e, Eds-510e Firmware, Eds-g516e and 1 more 2020-03-26 5.0 MEDIUM 7.5 HIGH
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, sensitive information is transmitted over some web applications in cleartext.