Total
456 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-16041 | 1 Ikst Project | 1 Ikst | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. | |||||
CVE-2017-12716 | 1 Abbott | 8 Accent, Accent Firmware, Accent Mri and 5 more | 2019-10-09 | 3.3 LOW | 6.5 MEDIUM |
Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. | |||||
CVE-2017-14009 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password. | |||||
CVE-2017-12310 | 1 Cisco | 1 Spark Hybrid Calendar Service | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in the auto discovery phase of Cisco Spark Hybrid Calendar Service could allow an unauthenticated, remote attacker to view sensitive information in the unencrypted headers of an HTTP method request. The attacker could use this information to conduct additional reconnaissance attacks leading to the disclosure of sensitive customer data. The vulnerability exists in the auto discovery phase because an unencrypted HTTP request is made due to requirements for implementing the Hybrid Calendar service. An attacker could exploit this vulnerability by monitoring the unencrypted traffic on the network. An exploit could allow the attacker to access sensitive customer data belonging to Office365 users, such as email and calendar events. Cisco Bug IDs: CSCvg35593. | |||||
CVE-2017-0925 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2019-10-09 | 4.0 MEDIUM | 7.2 HIGH |
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password. | |||||
CVE-2019-0231 | 1 Apache | 1 Mina | 2019-10-08 | 5.0 MEDIUM | 7.5 HIGH |
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA. | |||||
CVE-2019-16924 | 1 Nuvending | 1 Nulock | 2019-10-04 | 3.3 LOW | 8.8 HIGH |
The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock. | |||||
CVE-2018-11050 | 1 Dell | 1 Emc Networker | 2019-10-02 | 3.3 LOW | 8.8 HIGH |
Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote AMQP service. An unauthenticated attacker in the same network collision domain, could potentially sniff the password from the network and use it to access the component using the privileges of the compromised user. | |||||
CVE-2017-8851 | 1 Oneplus | 3 Oneplus One, Oneplus X, Oxygenos | 2019-10-02 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attackers can install OTAs of one product over the other, even on locked bootloaders. That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use 'adb sideload' to push the OTA. | |||||
CVE-2017-8850 | 1 Oneplus | 6 Oneplus 2, Oneplus 3, Oneplus 3t and 3 more | 2019-10-02 | 4.3 MEDIUM | 5.9 MEDIUM |
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which allows for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off). | |||||
CVE-2017-8154 | 1 Huawei | 2 Honor 8 Lite, Honor 8 Lite Firmware | 2019-10-02 | 2.6 LOW | 5.3 MEDIUM |
The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (MITM) vulnerability due to the use of the insecure HTTP protocol for theme download. An attacker may exploit this vulnerability to tamper with downloaded themes. | |||||
CVE-2017-7147 | 1 Apple | 2 Apple Support, Iphone Os | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in certain Apple products. The Apple Support app before 1.2 for iOS is affected. The issue involves the "Analytics" component. It allows remote attackers to obtain sensitive analytics information by leveraging its presence in a cleartext HTTP transmission to an Adobe Marketing Cloud server operated for Apple, as demonstrated by information about the installation date and time. | |||||
CVE-2017-7143 | 1 Apple | 1 Mac Os X | 2019-10-02 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Captive Network Assistant" component. It allows remote attackers to discover cleartext passwords in opportunistic circumstances by sniffing the network during use of the captive portal browser, which has a UI error that can lead to cleartext transmission without the user's awareness. | |||||
CVE-2017-7133 | 1 Apple | 1 Iphone Os | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "MobileBackup" component. It allows remote attackers to obtain sensitive cleartext information in opportunistic circumstances by leveraging read access to a backup archive that was supposed to have been encrypted. | |||||
CVE-2017-7078 | 1 Apple | 2 Iphone Os, Mac Os X | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. The issue involves the "Mail Drafts" component. It allows remote attackers to obtain sensitive information by reading unintended cleartext transmissions. | |||||
CVE-2017-6665 | 1 Cisco | 2 Ios, Ios Xe | 2019-10-02 | 3.3 LOW | 6.5 MEDIUM |
A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to reset the Autonomic Control Plane (ACP) of an affected system and view ACP packets that are transferred in clear text within an affected system, an Information Disclosure Vulnerability. More Information: CSCvd51214. Known Affected Releases: Denali-16.2.1 Denali-16.3.1. | |||||
CVE-2017-6432 | 1 Dahuasecurity | 2 Dhi-hcvr7216a-s3, Nvr Firmware | 2019-10-02 | 9.3 HIGH | 8.1 HIGH |
An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build 2016-06-06 devices. The Dahua DVR Protocol, which operates on TCP Port 37777, is an unencrypted, binary protocol. Performing a Man-in-the-Middle attack allows both sniffing and injections of packets, which allows creation of fully privileged new users, in addition to capture of sensitive information. | |||||
CVE-2017-6410 | 1 Kde | 2 Kdelibs, Kio | 2019-10-02 | 4.3 MEDIUM | 5.5 MEDIUM |
kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file. | |||||
CVE-2017-6370 | 1 Typo3 | 1 Typo3 | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields. | |||||
CVE-2017-6341 | 1 Dahuasecurity | 4 Camera Firmware, Dhi-hcvr7216a-s3, Nvr Firmware and 1 more | 2019-10-02 | 4.3 MEDIUM | 5.9 MEDIUM |
Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 send cleartext passwords in response to requests from the Web Page, Mobile Application, and Desktop Application interfaces, which allows remote attackers to obtain sensitive information by sniffing the network, a different vulnerability than CVE-2013-6117. |