Total
456 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-15911 | 1 Asus | 14 As-101, As-101 Firmware, Dl-101 and 11 more | 2020-01-09 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Because of insecure key transport in ZigBee communication, attackers can obtain sensitive information, cause the multiple denial of service attacks, take over smart home devices, and tamper with messages. | |||||
CVE-2019-19967 | 1 Upc | 2 Connect Box Eurodocsis, Connect Box Eurodocsis Firmware | 2020-01-08 | 5.0 MEDIUM | 7.5 HIGH |
The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH devices accepts a cleartext password in a POST request on port 80, as demonstrated by the Password field to the xml/setter.xml URI. | |||||
CVE-2019-4743 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2019-12-22 | 4.3 MEDIUM | 4.3 MEDIUM |
IBM Financial Transaction Manager 3.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 172880. | |||||
CVE-2019-16568 | 1 Jenkins | 1 Sctmexecutor | 2019-12-18 | 5.0 MEDIUM | 5.3 MEDIUM |
Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations. | |||||
CVE-2012-5562 | 1 Redhat | 1 Satellite | 2019-12-13 | 3.3 LOW | 6.5 MEDIUM |
rhn-proxy: may transmit credentials over clear-text when accessing RHN Satellite | |||||
CVE-2012-1257 | 1 Pidgin | 1 Pidgin | 2019-11-21 | 2.1 LOW | 5.5 MEDIUM |
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor. | |||||
CVE-2010-4177 | 2 Fedoraproject, Oracle | 2 Fedora, Mysql-gui-tools | 2019-11-15 | 2.1 LOW | 5.5 MEDIUM |
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes. | |||||
CVE-2019-12967 | 1 Themooltipass | 1 Moolticute | 2019-10-24 | 4.3 MEDIUM | 6.5 MEDIUM |
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control. | |||||
CVE-2019-9532 | 1 Cobham | 2 Explorer 710, Explorer 710 Firmware | 2019-10-17 | 2.1 LOW | 7.8 HIGH |
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, sends the login password in cleartext. This could allow an unauthenticated, local attacker to intercept the password and gain access to the portal. | |||||
CVE-2018-8842 | 1 Philips | 1 E-alert Firmware | 2019-10-09 | 3.3 LOW | 8.8 HIGH |
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The Philips e-Alert communication channel is not encrypted which could therefore lead to disclosure of personal contact information and application login credentials from within the same subnet. | |||||
CVE-2018-8855 | 1 Echelon | 8 I.lon 100, I.lon 100 Firmware, I.lon 600 and 5 more | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. | |||||
CVE-2018-5471 | 1 Belden | 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
A Cleartext Transmission of Sensitive Information issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A cleartext transmission of sensitive information vulnerability in the web interface has been identified, which may allow an attacker to obtain sensitive information through a successful man-in-the-middle attack. | |||||
CVE-2018-5401 | 2 Arm, Auto-maskin | 6 Arm7, Dcu 210e, Dcu 210e Firmware and 3 more | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The devices transmit process control information via unencrypted Modbus communications. Impact: An attacker can exploit this vulnerability to observe information about configurations, settings, what sensors are present and in use, and other information to aid in crafting spoofed messages. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7. | |||||
CVE-2018-1600 | 1 Ibm | 1 Bigfix Platform | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 143745. | |||||
CVE-2018-10634 | 1 Medtronic | 18 Minimed 530g Mmt-551, Minimed 530g Mmt-551 Firmware, Minimed 530g Mmt-751 and 15 more | 2019-10-09 | 2.9 LOW | 5.3 MEDIUM |
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G communications between the pump and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers. | |||||
CVE-2018-0281 | 1 Cisco | 1 Firepower Management Center | 2019-10-09 | 5.0 MEDIUM | 5.8 MEDIUM |
A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to restart an instance of the Snort detection engine on an affected device, resulting in a brief denial of service (DoS) condition. The vulnerability is due to the incorrect handling of a Transport Layer Security (TLS) extension during TLS connection setup for the affected software. An attacker could exploit this vulnerability by sending a crafted TLS connection setup request to an affected device. A successful exploit could allow the attacker to cause the Snort detection engine on the affected device to restart, resulting in a DoS condition. Cisco Bug IDs: CSCvg97808. | |||||
CVE-2018-0283 | 1 Cisco | 1 Firepower Management Center | 2019-10-09 | 5.0 MEDIUM | 5.8 MEDIUM |
A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to restart an instance of the Snort detection engine on an affected device, resulting in a brief denial of service (DoS) condition. The vulnerability is due to the incorrect handling of Transport Layer Security (TLS) TCP connection setup for the affected software. An attacker could exploit this vulnerability by sending crafted TLS traffic to an affected device. A successful exploit could allow the attacker to cause the Snort detection engine on the affected device to restart, resulting in a DoS condition. Cisco Bug IDs: CSCvg99327. | |||||
CVE-2017-5259 | 1 Cambiumnetworks | 10 Cnpilot E400, Cnpilot E400 Firmware, Cnpilot E410 and 7 more | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp. | |||||
CVE-2017-16035 | 1 Hubspot | 1 Hubl-server | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation. | |||||
CVE-2017-16040 | 1 Gfe-sass Project | 1 Gfe-sass | 2019-10-09 | 9.3 HIGH | 8.1 HIGH |
gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. |